Hello, friends. In this post, you will learn how to install Suricata on Debian 11. This tool will help us to further protect our server.
Introducing to Suricata
Suricata is a high-performance network IDS (Intrusion Detection System), IPS, and network security engine, developed by the OISF, this is an open-source application, so we will not have too many problems using it in our system.
Suricata works internally based on a set of externally developed rules to monitor network traffic and provide alerts to the system administrator when suspicious events occur.
So, Suricata is a great tool to protect our servers, and today you will learn how to use it.
Install Suricata on Debian 11
Let’s get started. Connect to your server via SSH and make sure it is up-to-date. sudo apt update sudo apt upgrade We will be able to install Suricata using the official Debian repositories with a simple sudo apt install suricata
Install Suricata from the source code – Install the dependencies
Although this method is safe and reliable, it does not provide the latest stable version. So one solution is to install it from the source code.
To complete this, install the necessary packages to perform the compilation.
sudo apt install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libnss3-dev libgeoip-dev liblua5. 1-dev libhiredis-dev libevent-dev python3-yaml rustc cargo libjansson-dev
Now, continue installing the rest of the dependencies.
sudo apt install libnetfilter-queue-dev libnetfilter-queue1 libnetfilter-log-dev libnetfilter-log-dev libnetfilter-log1 libnfnetlink-dev libnfnetlink0
Although these packages are not strictly necessary, they provide integration with IPTables.
Install PIP on Debian 11
Now, the installation of PIP follows. To complete this, run this command
sudo apt install python3-pip
Before using it, you should update it to the latest available version. And at once install the suricata-update package
sudo pip3 install --upgrade suricata-update
Make a symbolic link of the suricata-update binary to /usr/bin.
sudo ln -s /usr/local/bin/suricata-update /usr/bin/suricata-update
Install Suricata on Debian 11
At the time of writing this post, the latest stable version of Suricata is 6.0.4 so the command to download it is
wget https://www.openinfosecfoundation.org/download/suricata-6.0.4.tar.gz
I recommend you to check on the project website which is the latest stable version and modify the command.
Decompress the file
tar xzf suricata-6.0.4.tar.gz
And access the folder generated
cd suricata-6.0.4
Now prepare the files for compilation.
sudo ./configure --sysconfdir=/etc --localstatedir=/var --prefix=/usr/ --enable-lua --enable-nfqueue --enable-suricata-update --enable-rules
Next, compile the Suricata source code.
sudo make
Finally, install Suricata on Debian 11 running.
sudo make install-full
Configuring Suricata on Debian 11
When installing Suricata on Debian 11, a set of default rules will be installed and stored in /usr/share/suricata/rules.
To find out what they are, you can run these commands
ls /usr/share/suricata/rules
There are other emergency rules that can be installed by running
sudo suricata-update
This is why it is important to have installed this package beforehand.
Then, we have to make Suricata know the IP address of the server. To complete this, we have to edit the configuration file of the application.
First make a backup of it for security
sudo cp /etc/suricata/suricata.yaml /etc/suricata/suricata.yaml.bak
Now edit it:
sudo nano /etc/suricata/suricata.yaml
Comment out all entries in HOME_NET and leave this one
HOME_NET: "[IP-address]"
For example,
HOME_NET: "[23.15.25.3]"
And in the interface directive set the network interface that will listen.
interface: eth0
Save the changes and close the editor.
The best way to manage Suricata is through a system service. To complete this, we will create a new configuration file.
sudo nano /etc/systemd/system/suricata.service
And add the following code
[Unit] Description=Suricata Intrusion Detection Service After=syslog.target network-online.target [Service] ExecStartPre=/bin/rm -f /var/run/suricata.pid ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 --pidfile /var/run/suricata.pid $OPTIONS ExecReload=/bin/kill -USR2 $MAINPID [Install] WantedBy=multi-user.target
Pay attention to the ExecStart line because in it, we have to correctly define the network interface to be listened by Suricata.
Again, save the changes and close the editor.
Apply the new configuration
sudo systemctl daemon-reload
Now start the Suricata service.
sudo systemctl start suricata
And check its status
sudo systemctl status suricata
So, Suricata is running properly. And now you can feel a little more secure.
Conclusion
In this post, we have learned how to install Suricata on Debian 11 from the source code of the application. So, our server can be more secure and stable.
