See Suricata

The GUI code for Suricata is all written in PHP. All that PHP code does is provide a fancy user interface for choosing parameters which populate the suricata.yaml configuration file that the Suricata binary needs to run. All of the “brains” of packet inspection and rule signatures lives within the binary. The binary is designed to be completely command-line driven, and a simple text configuration file (suricata.yaml) tells the binary how to behave. So the Suricata package in pfSense consists of two parts: (1) the Suricata binary piece; and (2) a GUI piece to aid the user in choosing appropriate parameter settings for the suricata.yaml text configuration file.

All of the PHP code lives in /usr/local/pkg/suricata and /usr/local/www/suricata. Liberal with comments throughout the code base. That should help you follow the logic. The file names (especially in the www sub-directory) are descriptive of the function of the file. For example, you will find at least one PHP file responsible for displaying and handling user interaction for each tab in the GUI.

https://forum.netgate.com/topic/136729/suricata-cannot-change-home-net-list/9