Scanning a PCAP file with a large IDS ruleset can be beneficial for putting a name to suspicious or malicious activity. It can also be useful for creating signatures on previously undetected malware or deciding which rules to actively run in your environment.

This post will act as a guide for running the Emerging Threats Suricata ruleset against PCAP files on a typical Linux host. In this case, I used a fresh installation of Ubuntu 17.10. This can also be done on a more robust, pre-configured environment such as Security Onion.

Steps