Suricata for Debian
-------------------

The engine is an Open Source Next Generation Intrusion Detection and
Prevention Tool, not intended to just replace or emulate the existing tools in
the industry, but to bring new ideas and technologies to the field.

To run the engine with default configuration on interface eth0 (in live mode),
run the following command (as root):
 suricata -c /etc/suricata/suricata.yaml -i eth0

To run in live NFQUEUE mode, use (as root):
 suricata -c /etc/suricata/suricata.yaml -q $QUEUE_ID

You can also run suricata on a PCAP file:
 suricata -c /etc/suricata/suricata.yaml -r file.pcap


Daemon system integration
-------------------------

The suricata daemon comes preconfigured to run as a system daemon with systemd.

You can start/stop the daemon with:
 % sudo systemctl start suricata.service
 % sudo systemctl stop suricata.service

You should copy /lib/systemd/system/suricata.service to
/etc/systemd/system/suricata.service and adapt the configuration to your needs.

The sysvinit script and related files (/etc/init.d/suricata and
/etc/default/suricata) will be eventually discarted at some point in the
future. The /etc/default/suricata file is ignored by the default
suricata.service file.

By now, there is no integration between suricata and libsystemd (so, options
like the watchdog are not supported).


Updating Rules
--------------

You should edit /etc/suricata/suricata.yaml and adjust it to fit your needs.
The recommended way to update rules is via suricata-update (also packaged in Debian).