Suricata User Guide

• 1. What is Suricata
• 2. Installation
• 3. Command Line Options
• 4. Suricata Rules
  • 4.1. Rules Introduction
  • 4.2. Meta-settings
  • 4.3. Header Keywords
  • 4.4. Prefilter
  • 4.5. Payload Keywords
    • 4.5.1. pcre (Perl Compatible Regular Expressions)
    • 4.5.2. Fast Pattern
      • 4.5.2.1. Suricata Fast Pattern Determination Explained
  • 4.6. HTTP Keywords
  • 4.7. Flow Keywords
  • 4.8. Flowint
  • 4.9. File Keywords
  • 4.10. Rule Thresholding
  • 4.11. DNS Keywords
  • 4.12. SSL/TLS Keywords
  • 4.13. Modbus Keyword
  • 4.14. DNP3 Keywords
  • 4.15. ENIP/CIP Keywords
  • 4.16. Generic App Layer Keywords
  • 4.17. Lua Scripting
  • 4.18. Normalized Buffers
    • 4.18.1. HTTP-uri normalization
  • 4.19. Snort Compatibility
• 5. Rule Management
  • 5.1. Rule Management with Oinkmaster
  • 5.2. Adding Your Own Rules
  • 5.3. Rule Reloads
• 6. Making sense out of Alerts
• 7. Performance
  • 7.1. Runmodes
  • 7.2. Packet Capture
  • 7.3. Tuning Considerations
  • 7.4. Hyperscan
  • 7.5. High Performance Configuration
  • 7.6. Statistics
  • 7.7. Ignoring Traffic
  • 7.8. Packet Profiling
  • 7.9. Rule Profiling
  • 7.10. Tcmalloc
• 8. Configuration
  • 8.1. Suricata.yaml
  • 8.2. Global-Thresholds
  • 8.3. Snort.conf to Suricata.yaml
  • 8.4. Log Rotation
  • 8.5. Multi Tenancy
  • 8.6. Dropping Privileges After Startup
• 9. Reputation
  • 9.1. IP Reputation
    • 9.1.1. IP Reputation Config
    • 9.1.2. IP Reputation Rules
    • 9.1.3. IP Reputation Format
• 10. Init Scripts
• 11. Setting up IPS/inline for Linux
• 12. Output
  • 12.1. EVE
    • 12.1.1. Eve JSON Output
    • 12.1.2. Eve JSON Format
    • 12.1.3. Eve JSON ‘jq’ Examples
  • 12.2. Lua Output
  • 12.3. Syslog Alerting Compatibility
  • 12.4. Custom http logging
• 13. File Extraction
  • 13.5.1. Storing MD5s checksums
  • 13.5.2. Public SHA1 MD5 data sets
• 14. Public Data Sets
• 15. Using Capture Hardware
  • 15.1. Endace DAG
  • 15.2. Myricom
• 16. Interacting via Unix Socket
• 17. Man Pages
  • 17.1. Suricata
• 18. Acknowledgements
• 19. Licenses
  • 19.1. GNU General Public License
  • 19.2. Creative Commons Attribution-NonCommercial 4.0 International Public License