Actions
Feature #4217
opennot complete cmd start line does not produce expliccit enough warning or msg
Effort:
Difficulty:
Label:
Beginner
Description
This is no problem/issue for experienced users however it can be not so revealing for new users.
If a cmd line is used that is not complete/correct in terms of runmode or interface the info/warning msg is not revealing of what the actual problem is.
In the case below an interface (or --af-packet) is actually missing form the command - maybe check for interface or run mode and warn about not being used?
/opt/suritest-tmp/bin/suricata -c /etc/suricata/suricata.yaml -S /dev/null
Suricata 7.0.0-dev (372fc2673 2020-12-11)
USAGE: /opt/suritest-tmp/bin/suricata [OPTIONS] [BPF FILTER]
-c <path> : path to configuration file
-T : test configuration file (use with -c)
-i <dev or ip> : run in pcap live mode
-F <bpf filter file> : bpf filter file
-r <path> : run in pcap file/offline mode
-s <path> : path to signature file loaded in addition to suricata.yaml settings (optional)
-S <path> : path to signature file loaded exclusively (optional)
-l <dir> : default log directory
-D : run as daemon
-k [all|none] : force checksum check (all) or disabled it (none)
-V : display Suricata version
-v : be more verbose (use multiple times to increase verbosity)
--list-app-layer-protos : list supported app layer protocols
--list-keywords[=all|csv|<kword>] : list keywords implemented by the engine
--list-runmodes : list supported runmodes
--runmode <runmode_id> : specific runmode modification the engine should run. The argument
supplied should be the id for the runmode obtained by running
--list-runmodes
--engine-analysis : print reports on analysis of different sections in the engine and exit.
Please have a look at the conf parameter engine-analysis on what reports
can be printed
--pidfile <file> : write pid to this file
--init-errors-fatal : enable fatal failure on signature init error
--disable-detection : disable detection engine
--dump-config : show the running configuration
--dump-features : display provided features
--build-info : display build information
--pcap[=<dev>] : run in pcap mode, no value select interfaces from suricata.yaml
--pcap-file-continuous : when running in pcap mode with a directory, continue checking directory for pcaps until interrupted
--pcap-file-delete : when running in replay mode (-r with directory or file), will delete pcap files that have been processed when done
--pcap-file-recursive : will descend into subdirectories when running in replay mode (-r)
--pcap-buffer-size : size of the pcap buffer value from 0 - 2147483647
--af-packet[=<dev>] : run in af-packet mode, no value select interfaces from suricata.yaml
--simulate-ips : force engine into IPS mode. Useful for QA
--user <user> : run suricata as this user after init
--group <group> : run suricata as this group after init
--erf-in <path> : process an ERF file
--unix-socket[=<file>] : use unix socket to control suricata work
--reject-dev <dev> : send reject packets from this interface
--set name=value : set a configuration value
To run the engine with default configuration on interface eth0 with signature file "signatures.rules", run the command as:
/opt/suritest-tmp/bin/suricata -c suricata.yaml -s signatures.rules -i eth0
Updated by Juliana Fajardini Reichow 7 months ago
- Assignee set to Community Ticket
- Target version set to 8.0.0-beta1
Actions