========================================================================= If you want to run Suricata in IDS mode, add to /etc/rc.conf: suricata_enable="YES" suricata_interface="" NOTE: Declaring suricata_interface is MANDATORY for Suricata in IDS Mode. However, if you wanna run Suricata in Inline IPS Mode, add to /etc/rc.conf: suricata_enable="YES" suricata_divertport="8000" NOTE: Suricata won't start in IDS mode without an interface configured. Therefore if you omit suricata_interface from rc.conf, FreeBSD's rc.d/suricata will automatically try to start Suricata in IPS Mode (on divert port 8000, by default). RULES: Suricata IDS/IPS Engine comes without rules by default. You should add rules by yourself and set an updating strategy. To do so, please visit: http://www.openinfosecfoundation.org/documentation/rules.html http://www.openinfosecfoundation.org/documentation/emerging-threats.html You may want to try BPF in zerocopy mode to test performance improvements: sysctl -w net.bpf.zerocopy_enable=1 Don't forget to add net.bpf.zerocopy_enable=1 to /etc/sysctl.conf =========================================================================