How to use suricata offline

I looking how to use suricata offline.
I want to send to Suricata Pcap (maybe with Api) file and let’s Suricata to analyze it. If this pcap is fix for any signature

How can I do that?

You can pass a pcap via -r file.pcap to run in pcap mode. In addition to that you can use unix socket, see 20. Interacting via Unix Socket — Suricata 6.0.1 documentation

Thank you.

Why Suricata can’t get Pcap file with Rest Api without reset,so I will not need to run cmd from terminal? I want to send lot of pcap files automatically each hours ,is there any solution for that?

How can I get the results which if and witch signature my pcap has been triggered?

Yes, as I said, you can use the unix socket method and forward those pcaps to a running Suricata instance.

Those details are shown in the eve.json logfile that you can configure for your use case, see 15.1. EVE — Suricata 6.0.1 documentation

I sorry my friend but I didn’t understand you.
When I run with Unix socket ,I understand that I need to run pcap-file in Suricata terminal to upload Pcap.

Is there any another way to send the Pcao file via unix socket to Suricata?

Please read the official documentation. You can run Suricata with unix socket mode enabled and use suricatasc for example to ingest pcaps as you see fit. You can also write your own tool for that and use the socket interface, but I suggest starting with suricatasc see 20. Interacting via Unix Socket — Suricata 6.0.1 documentation for the usage but also how to use your own tooling.


Have you considered Dalton? – GitHub - secureworks/dalton: Suricata and Snort IDS rule and pcap testing system. Programmatic submission is possible and you can pull the results via an API. There is a new version coming out soon that fixes/improves some of the API, as well as a few other things like leveraging suricatasc to process a lot of pcaps/jobs very quickly (it’s currently under development at GitHub - counterthreatunit/dalton: Suricata and Snort IDS rule and pcap testing system).

Let me know if you have any questions.

1 Like

@dwharton Do you the developer of Dalton? Is there any support forum?
I didn’t understand the goal of that system.
Is Dalton using Suricata/Snort of yes, why do I need Dalton?
Is that easly to write signature for pcap file into Dalton than Suricata/Snort?
Is there any video that show the system?

Yes, I’m the developer. No, there is not a support forum but there is documentation (and code) which I encourage you to read.