Suricata User Guide

Table of Contents

1. What is Suricata

2. Major Features

3. Supported Platforms

4. Suricata Installation

4.1 Upgrading Suricata 1.0 to Suricata 1.1

4.2 Upgrading Suricata 1.1 to Suricata 1.2

4.3 Upgrading Suricata 1.2 to Suricata 1.3

4.4 Upgrading Suricata 1.3 to Suricata 1.3.1

4.5 Upgrading Suricata 1.3 to Suricata 1.4

4.6 Upgrading Suricata 1.4 to Suricata 2.0

4.6.1 Upgrading from Suricata 2.0beta to Suricata 2.0

5. Unit Tests

6. Command Line Options

6.1 Dropping Privileges After Startup

7. Compatibility with Snort

8. Suricata Rules

8.1. Meta-settings

8.2. Header keywords

8.3. Payload keywords

8.3.1. pcre (Perl Compatible Regular Expressions)
8.3.2. Fast Pattern

8.4. HTTP-keywords

8.5. Flow-keywords

8.6. File-keywords

8.7 Rule-Thresholding

8.8 Lua scripting

8.9. Adding Your Own Rules

8.10. Live Rule Swap

8.11. TLS-keywords

8.12. Normalized Buffers

8.13. Rule Profiling

9. Rule Management with Oinkmaster

9.1 Making sense out of Alerts

10. Performance

10.1 High Performance Configuration

10.2 Tuning Considerations

10.3 Statistics

10.4 Packet Profiling

10.5 Rule Profiling

10.6 Runmodes

10.7 Tcmalloc

11. Configuration

11.1 suricata.yaml

11.2 Global-Thresholds

11.3 Snort.conf to Suricata.yaml

12. Reputation

12.1 IP Reputation

12.1.1 IP Reputation Config
12.1.2 IP Reputation Rules
12.1.3 IP Reputation Format

12. Sniffing Packets with Wireshark

13. Init Scripts

14. Setting up IPS/inline for Linux

15. Syslog Alerting Compatibility

16. File Extraction

16.1 MD5

16.2 Filemd5 and white/black listing with MD5

16.3 Public SHA1, MD5 data sets

17. Interacting via Unix Socket

18. Public Data Sets

19. Build your own Suricata package - deb, rpm

20. Using Capture Hardware

20.1 Endace DAG

20.2 Napatech

20.3 Myricom

21. Misc Guides

21.1 Custom http logging

21.2 Suricata with OSSIM

21.3 Suricata, Snorby and Barnyard2 set up guide

21.4 Suricata with ELSA Enterprise logging set up guide

21.5 What to do with files-json.log output

21.5.1 Script FollowJSON
21.5.2 MySQL
21.5.3 PostgreSQL
21.5.4 Useful queries - for MySQL and PostgreSQL
21.5.5 MongoDB
21.5.6 Logstash, Kibana and Suricata JSON output

21.6 Upgrade Suricata to the latest git in Security Onion

21.7 NSM runmode

22. Reporting Bugs

23. GeoIP