Using Suricata to scan for attacks

Hi guys, new to the forum here. I am currently enrolled in an online masters program for cybersecurity and I am currently stuck on an assignment. Was hoping for some help here.

For my assignment I was to use Suricata via a Ubuntu VM to scan for network vulnerabilities as well as an attack I performed through a Kali Linux VM.

Here’s the instructions:

  • Download the Suricata software and configure it on Ubuntu.
  • Implement an attack from Kali Linux to target Ubuntu.
  • Using Suricata, perform a network and vulnerability scan of your virtual network.

This is where I get confused and bogged down. The steps on my tutorial weren’t clear as to go about scanning on Suricata, but when researching it seems to be an option on pfSense that you can enable, which completely goes around the instructions.

When asking for a scan, I assumed they want PCAP Info, so I type in the command:

Suricata --pcap I get this:

What am I doing wrong here?


Ubuntu (64-bit)


  • You have to indicate where suricata.yaml is located.
  • You have to specify in runmode
  • In suricata.yaml you have to indicate the interface:
   - interface: enp0s3
  • You have to indicate where the logs will be located.


sudo suricata --pcap --runmode autofp -c /etc/suricata/suricata.yaml -l ./log -vvv -knone