How to install Suricata on Debian 11

Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
Subscribe
"The best Linux newsletter on the web"

Hello, friends. In this post, you will learn how to install Suricata on Debian 11. This tool will help us to further protect our server.

Introducing to Suricata

Suricata is a high-performance network IDS (Intrusion Detection System), IPS, and network security engine, developed by the OISF, this is an open-source application, so we will not have too many problems using it in our system.

Suricata works internally based on a set of externally developed rules to monitor network traffic and provide alerts to the system administrator when suspicious events occur.

So, Suricata is a great tool to protect our servers, and today you will learn how to use it.

Install Suricata on Debian 11

Let’s get started. Connect to your server via SSH and make sure it is up-to-date. sudo apt update sudo apt upgrade We will be able to install Suricata using the official Debian repositories with a simple sudo apt install suricata

Install Suricata from the source code – Install the dependencies

Although this method is safe and reliable, it does not provide the latest stable version. So one solution is to install it from the source code.

To complete this, install the necessary packages to perform the compilation.

sudo apt install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev libcap-ng-dev libcap-ng0 make libmagic-dev libnss3-dev libgeoip-dev liblua5. 1-dev libhiredis-dev libevent-dev python3-yaml rustc cargo libjansson-dev 

Now, continue installing the rest of the dependencies.

sudo apt install libnetfilter-queue-dev libnetfilter-queue1 libnetfilter-log-dev libnetfilter-log-dev libnetfilter-log1 libnfnetlink-dev libnfnetlink0

Although these packages are not strictly necessary, they provide integration with IPTables.

Install PIP on Debian 11

Now, the installation of PIP follows. To complete this, run this command

sudo apt install python3-pip

Before using it, you should update it to the latest available version. And at once install the suricata-update package

sudo pip3 install --upgrade suricata-update
1.- Installing Suricata on Debian 11
1.- Installing Suricata on Debian 11

Make a symbolic link of the suricata-update binary to /usr/bin.

 sudo ln -s /usr/local/bin/suricata-update /usr/bin/suricata-update

Install Suricata on Debian 11

At the time of writing this post, the latest stable version of Suricata is 6.0.4 so the command to download it is

wget https://www.openinfosecfoundation.org/download/suricata-6.0.4.tar.gz
2.- Download Suricata on Debian 11
2.- Download Suricata on Debian 11

I recommend you to check on the project website which is the latest stable version and modify the command.

Decompress the file

tar xzf suricata-6.0.4.tar.gz

And access the folder generated

cd suricata-6.0.4

Now prepare the files for compilation.

sudo ./configure --sysconfdir=/etc --localstatedir=/var --prefix=/usr/ --enable-lua --enable-nfqueue --enable-suricata-update --enable-rules
3.- Preparing Suricata for the installation
3.- Preparing Suricata for the installation

Next, compile the Suricata source code.

sudo make

Finally, install Suricata on Debian 11 running.

sudo make install-full
4.- Install suricata on Debian 11
4.- Install suricata on Debian 11

Configuring Suricata on Debian 11

When installing Suricata on Debian 11, a set of default rules will be installed and stored in /usr/share/suricata/rules.

To find out what they are, you can run these commands

ls /usr/share/suricata/rules
5.- The Suricata rules
5.- The Suricata rules

There are other emergency rules that can be installed by running

sudo suricata-update

This is why it is important to have installed this package beforehand.

Then, we have to make Suricata know the IP address of the server. To complete this, we have to edit the configuration file of the application.

First make a backup of it for security

sudo cp /etc/suricata/suricata.yaml /etc/suricata/suricata.yaml.bak

Now edit it:

sudo nano /etc/suricata/suricata.yaml

Comment out all entries in HOME_NET and leave this one

HOME_NET: "[IP-address]"

For example,

HOME_NET: "[23.15.25.3]"

And in the interface directive set the network interface that will listen.

interface: eth0

Save the changes and close the editor.

The best way to manage Suricata is through a system service. To complete this, we will create a new configuration file.

sudo nano /etc/systemd/system/suricata.service

And add the following code

[Unit]
Description=Suricata Intrusion Detection Service
After=syslog.target network-online.target

[Service]
ExecStartPre=/bin/rm -f /var/run/suricata.pid
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 --pidfile /var/run/suricata.pid $OPTIONS
ExecReload=/bin/kill -USR2 $MAINPID

[Install]
WantedBy=multi-user.target
6.- Service status
6.- Service status

Pay attention to the ExecStart line because in it, we have to correctly define the network interface to be listened by Suricata.

Again, save the changes and close the editor.

Apply the new configuration

sudo systemctl daemon-reload

Now start the Suricata service.

sudo systemctl start suricata

And check its status

sudo systemctl status suricata
7.- The Suricata service status
7.- The Suricata service status

So, Suricata is running properly. And now you can feel a little more secure.

Conclusion

In this post, we have learned how to install Suricata on Debian 11 from the source code of the application. So, our server can be more secure and stable.

Everything Linux, A.I, IT News, DataOps, Open Source and more delivered right to you.
Subscribe
"The best Linux newsletter on the web"
Angelo
Angelo
I am Angelo. A systems engineer passionate about Linux and all open-source software. Although here I'm just another member of the family.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest articles

Join us on Facebook