Feature #4217


not complete cmd start line does not produce expliccit enough warning or msg

Added by Peter Manev over 3 years ago. Updated 7 months ago.

Target version:


This is no problem/issue for experienced users however it can be not so revealing for new users.

If a cmd line is used that is not complete/correct in terms of runmode or interface the info/warning msg is not revealing of what the actual problem is.
In the case below an interface (or --af-packet) is actually missing form the command - maybe check for interface or run mode and warn about not being used?

/opt/suritest-tmp/bin/suricata -c /etc/suricata/suricata.yaml  -S /dev/null 
Suricata 7.0.0-dev (372fc2673 2020-12-11)
USAGE: /opt/suritest-tmp/bin/suricata [OPTIONS] [BPF FILTER]

        -c <path>                            : path to configuration file
        -T                                   : test configuration file (use with -c)
        -i <dev or ip>                       : run in pcap live mode
        -F <bpf filter file>                 : bpf filter file
        -r <path>                            : run in pcap file/offline mode
        -s <path>                            : path to signature file loaded in addition to suricata.yaml settings (optional)
        -S <path>                            : path to signature file loaded exclusively (optional)
        -l <dir>                             : default log directory
        -D                                   : run as daemon
        -k [all|none]                        : force checksum check (all) or disabled it (none)
        -V                                   : display Suricata version
        -v                                   : be more verbose (use multiple times to increase verbosity)
        --list-app-layer-protos              : list supported app layer protocols
        --list-keywords[=all|csv|<kword>]    : list keywords implemented by the engine
        --list-runmodes                      : list supported runmodes
        --runmode <runmode_id>               : specific runmode modification the engine should run.  The argument
                                               supplied should be the id for the runmode obtained by running
        --engine-analysis                    : print reports on analysis of different sections in the engine and exit.
                                               Please have a look at the conf parameter engine-analysis on what reports
                                               can be printed
        --pidfile <file>                     : write pid to this file
        --init-errors-fatal                  : enable fatal failure on signature init error
        --disable-detection                  : disable detection engine
        --dump-config                        : show the running configuration
        --dump-features                      : display provided features
        --build-info                         : display build information
        --pcap[=<dev>]                       : run in pcap mode, no value select interfaces from suricata.yaml
        --pcap-file-continuous               : when running in pcap mode with a directory, continue checking directory for pcaps until interrupted
        --pcap-file-delete                   : when running in replay mode (-r with directory or file), will delete pcap files that have been processed when done
        --pcap-file-recursive                : will descend into subdirectories when running in replay mode (-r)
        --pcap-buffer-size                   : size of the pcap buffer value from 0 - 2147483647
        --af-packet[=<dev>]                  : run in af-packet mode, no value select interfaces from suricata.yaml
        --simulate-ips                       : force engine into IPS mode. Useful for QA
        --user <user>                        : run suricata as this user after init
        --group <group>                      : run suricata as this group after init
        --erf-in <path>                      : process an ERF file
        --unix-socket[=<file>]               : use unix socket to control suricata work
        --reject-dev <dev>                   : send reject packets from this interface
        --set name=value                     : set a configuration value

To run the engine with default configuration on interface eth0 with signature file "signatures.rules", run the command as:

/opt/suritest-tmp/bin/suricata -c suricata.yaml -s signatures.rules -i eth0 
Actions #1

Updated by Juliana Fajardini Reichow 7 months ago

  • Assignee set to Community Ticket
  • Target version set to 8.0.0-beta1

Also available in: Atom PDF