Network IDS, IPS and Network Security Monitoring 740 #include Address group name home-net external-net http-servers smtp-servers sql-servers dns-servers telnet-servers aim-servers dc-servers dnp3-server dnp3-client modbus-client modbus-server enip-client enip-server [a-z0-9-]+ IP address or subnet ipv4 IPv4 address to match ipv6 IPv6 address to match ipv4net IPv4 prefix to match ipv6net IPv6 prefix to match !ipv4 Exclude the specified IPv4 address from matches !ipv6 Exclude the specified IPv6 address from matches !ipv4net Exclude the specified IPv6 prefix from matches !ipv6net Exclude the specified IPv6 prefix from matches Address group service ids suricata address-group home-net external-net http-servers smtp-servers sql-servers dns-servers telnet-servers aim-servers dc-servers dnp3-server dnp3-client modbus-client modbus-server enip-client enip-server string Address group to match !string Exclude the specified address group from matches !?[a-z0-9-]+ Port group name http-ports shellcode-ports oracle-ports ssh-ports dnp3-ports modbus-ports file-data-ports ftp-ports geneve-ports vxlan-ports teredo-ports [a-z0-9-]+ Port number u32:1-65535 Numeric port to match !u32:1-65535 Numeric port to exclude from matches start-end Numbered port range (e.g. 1001-1005) to match !start-end Numbered port range (e.g. !1001-1005) to exclude from matches Port group service ids suricata port-group http-ports shellcode-ports oracle-ports ssh-ports dnp3-ports modbus-ports file-data-ports ftp-ports geneve-ports vxlan-ports teredo-ports string Port group to match !string Exclude the specified port group from matches !?[a-z0-9-]+ Suricata log outputs Extensible Event Format (EVE) EVE logging destination regular syslog regular Log to filename syslog Log to syslog (regular|syslog) regular Log file filename File name in default Suricata log directory /path Absolute file path eve.json Log types alert anomaly drop files http dns tls smtp dnp3 ftp rdp nfs smb tftp ikev2 dcerpc krb5 snmp rfb sip dhcp ssh mqtt http2 flow netflow alert Record events for rule matches anomaly Record unexpected conditions such as truncated packets, packets with invalid IP/UDP/TCP length values, and other events that render the packet invalid for further processing or describe unexpected behavior on an established stream drop Record events for dropped packets file Record file details (e.g., MD5) for files extracted from application protocols (e.g., HTTP) application (http, dns, tls, ...) Record application-level transactions flow Record bi-directional flows netflow Record uni-directional flows (alert|anomaly|http|dns|tls|files|drop|smtp|dnp3|ftp|rdp|nfs|smb|tftp|ikev2|dcerpc|krb5|snmp|rfb|sip|dhcp|ssh|mqtt|http2|flow|netflow)