Suricata User Guide

• 1. What is Suricata
  • 1.1. About the Open Information Security Foundation
• 2. Installation
  • 2.1. Source
  • 2.2. Binary packages
  • 2.3. Advanced Installation
• 3. Command Line Options
  • 3.1. Unit Tests
• 4. Suricata Rules
  • 4.1. Rules Format
  • 4.2. Meta Keywords
  • 4.3. IP Keywords
  • 4.4. TCP keywords
  • 4.5. ICMP keywords
  • 4.6. Payload Keywords
  • 4.7. Prefiltering Keywords
  • 4.8. Flow Keywords
  • 4.9. HTTP Keywords
  • 4.10. File Keywords
  • 4.11. DNS Keywords
  • 4.12. SSL/TLS Keywords
  • 4.13. JA3 Keywords
  • 4.14. Modbus Keyword
  • 4.15. DNP3 Keywords
  • 4.16. ENIP/CIP Keywords
  • 4.17. FTP/FTP-DATA Keywords
  • 4.18. Generic App Layer Keywords
  • 4.19. Xbits Keyword
  • 4.20. Thresholding Keywords
  • 4.21. IP Reputation Keyword
  • 4.22. Lua Scripting
  • 4.23. Differences From Snort
• 5. Rule Management
  • 5.1. Rule Management with Suricata-Update
  • 5.2. Rule Management with Oinkmaster
  • 5.3. Adding Your Own Rules
  • 5.4. Rule Reloads
• 6. Making sense out of Alerts
• 7. Performance
  • 7.1. Runmodes
  • 7.2. Packet Capture
  • 7.3. Tuning Considerations
  • 7.4. Hyperscan
  • 7.5. High Performance Configuration
  • 7.6. Statistics
  • 7.7. Ignoring Traffic
  • 7.8. Packet Profiling
  • 7.9. Rule Profiling
  • 7.10. Tcmalloc
• 8. Configuration
  • 8.1. Suricata.yaml
  • 8.2. Global-Thresholds
  • 8.3. Snort.conf to Suricata.yaml
  • 8.4. Multi Tenancy
  • 8.5. Dropping Privileges After Startup
• 9. Reputation
  • 9.1. IP Reputation
• 10. Init Scripts
• 11. Setting up IPS/inline for Linux
  • 11.1. Iptables configuration
• 12. Output
  • 12.1. EVE
  • 12.2. Lua Output
  • 12.3. Syslog Alerting Compatibility
  • 12.4. Custom http logging
  • 12.5. Custom tls logging
  • 12.6. Log Rotation
• 13. File Extraction
  • 13.1. Architecture
  • 13.2. Settings
  • 13.3. Output
  • 13.4. Rules
  • 13.5. MD5
• 14. Public Data Sets
• 15. Using Capture Hardware
  • 15.1. Endace DAG
  • 15.2. Napatech Suricata Installation Guide
  • 15.3. Myricom
  • 15.4. eBPF and XDP
• 16. Interacting via Unix Socket
  • 16.1. Introduction
  • 16.2. Commands in standard running mode
  • 16.3. Commands on the cmd prompt
  • 16.4. Pcap processing mode
  • 16.5. Build your own client
• 17. Man Pages
  • 17.1. Suricata
• 18. Acknowledgements
• 19. Licenses
  • 19.1. GNU General Public License
  • 19.2. Creative Commons Attribution-NonCommercial 4.0 International Public License
  • 19.3. Suricata Source Code
  • 19.4. Suricata Documentation