__ _______________________ _________._________________________ \_ _____/ \______ \ / _ \ / _____/ / _____/ | | \_ _____/ | __) | _/ / /_\ \ / \ ___ / \ ___ | | | __)_ | \ | | \ / | \ \ \_\ \ \ \_\ \ | |___ | \ \___ / |____|_ / \____|__ / \______ / \______ / |_______ \ /_______ / \/ \/ \/ \/ \/ \/ \/

suricata Cheatsheet

← Back to cheatsheets

← Home

Suricata is a high-performance network IDS, IPS, and network security monitoring engine. Multi-threaded, protocol-aware, and capable of real-time intrusion detection and prevention.

Basic Usage

  • suricata -c suricata.yaml -i eth0 - Run on interface
  • suricata -c suricata.yaml -r file.pcap - Analyze pcap
  • suricata -c suricata.yaml -T - Test configuration
  • suricata -c suricata.yaml -v - Verbose mode
  • suricata -c suricata.yaml -S rules.rules -i eth0 - Custom rules

Options

  • -c config - Configuration file
  • -i interface - Network interface
  • -r file - Read from pcap file
  • -T - Test configuration
  • -v - Verbose output
  • -S file - Rules file
  • -l directory - Log directory
  • -D - Run as daemon
  • -u user - Run as user
  • -g group - Run as group

Configuration

  • /etc/suricata/suricata.yaml - Main configuration
  • /etc/suricata/rules/ - Rules directory
  • /var/log/suricata/ - Log directory
  • /var/lib/suricata/ - Data directory

Rule Management

  • suricata-update - Update rules
  • suricata-update list-sources - List rule sources
  • suricata-update enable-source et/open - Enable source
  • suricata-update update-sources - Update sources
  • suricata-update -f - Force update

Log Files

  • /var/log/suricata/eve.json - JSON event log
  • /var/log/suricata/fast.log - Fast alert log
  • /var/log/suricata/stats.log - Statistics log
  • /var/log/suricata/http.log - HTTP log
  • /var/log/suricata/tls.log - TLS log

Common Examples

Test Configuration

suricata -c /etc/suricata/suricata.yaml -T

Validate configuration file.

Run on Interface

suricata -c /etc/suricata/suricata.yaml -i eth0

Start monitoring interface.

Analyze PCAP

suricata -c /etc/suricata/suricata.yaml -r capture.pcap

Analyze captured traffic.

Update Rules

suricata-update

Update detection rules.

View Alerts

tail -f /var/log/suricata/fast.log

Monitor alerts in real-time.

JSON Events

jq '.alert' /var/log/suricata/eve.json

Parse JSON event log.

Service Management

systemctl start suricata
systemctl status suricata

Manage as systemd service.

Rule Syntax

  • alert action protocol src port -> dst port (options) - Basic rule
  • msg - Alert message
  • sid - Signature ID
  • rev - Revision number
  • content - Pattern to match
  • pcre - Perl-compatible regex

Tips

  • Always test configuration with -T before running
  • Update rules regularly with suricata-update
  • Monitor eve.json for comprehensive event data
  • Use IPS mode for active blocking (requires proper setup)
  • Configure log rotation for large deployments
  • Fine-tune rules for your environment
  • Monitor performance and adjust threads
  • Essential for network security monitoring