Suricata for Debian ------------------- The engine is an Open Source Next Generation Intrusion Detection and Prevention Tool, not intended to just replace or emulate the existing tools in the industry, but to bring new ideas and technologies to the field. This is considered as a beta release. To run the engine with default configuration on interface eth0 (in live mode), run the following command (as root): suricata -c /etc/suricata/suricata.yaml -i eth0 To run in live NFQUEUE mode, use (as root): suricata -c /etc/suricata/suricata.yaml -q $QUEUE_ID You can also run suricata on a PCAP file: suricata -c /etc/suricata/suricata.yaml -r file.pcap Updating Rules -------------- The default configuration use the snort-rules-default package (with all rules loaded), and all logging modules activated. You should edit /etc/suricata/suricata.yaml and adjust it to fit your needs. Using rules from the snort-rules-default package will not provide up-to-date rules. The recommended method is to install oinkmaster, configure it to get Emerging Threats (ET), ET Pro or VRT rules. Edit ``/etc/oinkmaster.conf`` and use the following URL: http://rules.emergingthreats.net/open/suricata/emerging.rules.tar.gz For more help, see https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Rule_Management_with_Oinkmaster -- Pierre Chifflier Thu, 17 Nov 2011 22:58:00 +0100