Suricata User Guide

Table of Contents

1. What is Suricata

2. Major Features

3. Supported Platforms

4. Suricata Installation

4.1 Upgrading Suricata 1.0 to Suricata 1.1

4.2 Upgrading Suricata 1.1 to Suricata 1.2

4.3 Upgrading Suricata 1.2 to Suricata 1.3

4.4 Upgrading Suricata 1.3 to Suricata 1.3.1

4.5 Upgrading Suricata 1.3 to Suricata 1.4

4.6 Upgrading Suricata 1.4 to Suricata 2.0

4.6.1 Upgrading from Suricata 2.0beta to Suricata 2.0

4.7 Upgrading Suricata 2.0 to Suricata 2.1

6. Command Line Options

6.1 Dropping Privileges After Startup

7. Compatibility with Snort

8. Suricata Rules

8.1. Meta-settings

8.2. Header keywords

8.3. Payload keywords

8.3.1. pcre (Perl Compatible Regular Expressions)
8.3.2. Fast Pattern

8.3.2.1 Suricata Fast Pattern Determination Explained

8.4. HTTP-keywords

8.5. Flow-keywords

8.5.1 Flow Ints

8.6. File-keywords

8.7 Rule-Thresholding

8.8 Lua scripting

8.9. Adding Your Own Rules

8.10. Live Rule Swap

8.11. TLS-keywords

8.12. Normalized Buffers

8.13. Rule Profiling

8.14. Modbus keyword

8.15. DNP3 keyword

9. Rule Management with Oinkmaster

9.1 Making sense out of Alerts

10. Performance

10.1 High Performance Configuration

10.2 Tuning Considerations

10.3 Statistics

10.4 Packet Profiling

10.5 Rule Profiling

10.6 Runmodes

10.7 Tcmalloc

10.8 Ignoring Traffic

11. Configuration

11.1 suricata.yaml

11.2 Global-Thresholds

11.3 Snort.conf to Suricata.yaml

11.4 Log Rotation

11.5 Lua Output

12. Reputation

12.1 IP Reputation

12.1.1 IP Reputation Config
12.1.2 IP Reputation Rules
12.1.3 IP Reputation Format

13. Init Scripts

14. Setting up IPS/inline for Linux

15. Output

15.1 Eve (JSON)

15.1.1 Eve Configuration
15.1.2 Eve Format
15.1.3 Eve JQ Examples

15.2 Lua Output
15.3 Syslog Alerting Compatibility
15.4 Custom http logging
15.5 Log Rotation
15.6 What to do with files-json.log output

15.6.1 Script FollowJSON
15.6.2 MySQL
15.6.3 PostgreSQL
15.6.4 Useful queries - for MySQL and PostgreSQL
15.6.5 MongoDB
15.6.6 Logstash, Kibana and Suricata JSON output

15.6.6.1 Templates for Kibana/Logstash to use with Suricata IDPS

16. File Extraction

16.1 MD5

16.2 Filemd5 and white/black listing with MD5

16.3 Public SHA1, MD5 data sets

18. Public Data Sets

20. Using Capture Hardware

20.1 Endace DAG

20.2 Napatech

20.3 Myricom

21. Misc Guides

21.1 Build your own Suricata package - deb, rpm

21.2 Suricata with OSSIM

21.3 Suricata, Snorby and Barnyard2 set up guide

21.4 Suricata with ELSA Enterprise logging set up guide

21.6 Upgrade Suricata to the latest git in Security Onion

21.7 NSM runmode

21.8 Sniffing Packets with Wireshark

21.9 GeoIP

21.10 Protocol Anomalies Detection

21.11 Interacting via Unix Socket

22. Reporting Bugs