How to Install Suricata on Debian 11

In this tutorial, we are going to explain step-by-step how to install and customize Suricata on Debian 11.

Suricata is a Network Security Monitoring tool that processes and controls network traffic. It is used also for generating alerts, logs, and detecting suspicious packets or requests on any service coming to your server. Suricata can be deployed on a server host to scan the incoming and outgoing network traffic or it can be used locally on any compatible machine.

In the next few steps, you will learn more about Suricata and its installation and customization. The installation is a straightforward process and can be done in a few minutes. Let’s get started!

Table of Contents

Prerequisites

Fresh install of Debian 11
User privileges: root or non-root user with sudo privileges
VPS with at least 4GB of RAM (Our SSD 4 VPS plan)

Update the System

In order for our system to be up to date before the installation we are going to update it with the command below:

sudo apt update -y && sudo apt upgrade -y

Install Suricata

Once, the system is updated to its latest versions, the next step is to install the Suricata via package. The Suricata package is already included in Debian 11, so we do not need to import any packages thus to execute only the following command:

sudo apt install suricata -y

Once, the installation is completed, start the service with the following command:

sudo systemctl start suricata

To enable the service to automatically, start on system reboot execute the command:

sudo systemctl enable suricata

To check the status of the service, and verify that everything is ok, execute the command below:

sudo systemctl status suricata

You should receive the output as described below:

root@vps:~# sudo systemctl status suricata
● suricata.service - Suricata IDS/IDP daemon
     Loaded: loaded (/lib/systemd/system/suricata.service; enabled; vendor preset: enabled)
     Active: active (running) since Wed 2021-12-22 09:01:49 EST; 3min 34s ago
       Docs: man:suricata(8)
             man:suricatasc(8)
             https://suricata-ids.org/docs/
   Main PID: 40712 (Suricata-Main)
      Tasks: 10 (limit: 4678)
     Memory: 62.6M
        CPU: 1min 3.410s
     CGroup: /system.slice/suricata.service
             └─40712 /usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid

Dec 22 09:01:49 test.vps systemd[1]: Starting Suricata IDS/IDP daemon...
Dec 22 09:01:49 test.vps suricata[40711]: 22/12/2021 -- 09:01:49 -  - This is Suricata version 6.0.1 RELEASE running in SYSTEM mode
Dec 22 09:01:49 test.vps systemd[1]: Started Suricata IDS/IDP daemon.

By default, the Suricata installation is configured only to log the traffic and not prevent any dropping. This mode is called Suricata IDS mode, and if you want to change this according to the type of your traffic you will need to use the Suricata IPS mode. The changes for customizing the Suricata can be done by opening the “/etc/suricata/suricata.yaml” file with your favorite editor.

In the next few headings, we will explain what changes should be made after the installation of Suricata and its default configuration. In other words, we will customize the default Suricata installation.

Enabling Community Flow ID

The community flow ID is used when you plan to use Suricata with tools such as Zeek or Elasticsearch.

To enable the community flow ID, open the “suricata.yaml” file, find the line with “community-id”, and set it to true.

 # Community Flow ID
      # Adds a 'community_id' field to EVE records. These are meant to give
      # records a predictable flow ID that can be used to match records to
      # output of other tools such as Zeek (Bro).
      #
      # Takes a 'seed' that needs to be same across sensors and tools
      # to make the id less predictable.

      # enable/disable the community id feature.
      community-id: true

Live Rule Reloading

With Suricata live rule reloading you can add, edit, and remove the rules without restarting the “suricata.service“. To enable this option open the “suricata.yaml file and at the bottom add the following lines:

detect-engine:
  - rule-reload: true

Network Interface

The default network interface that Suricata is using and inspecting the traffic is “eth0“. If you want to override this for Suricata to inspect the traffic on a different network interface, open the “suricata.yaml file, and find the “- interface: default”. Once you find it, before that line add the following lines as described below:

Need a fast and easy fix?

✔ Unlimited Managed Support

✔ Supports Your Software

✔ 2 CPU Cores

✔ 2 GB RAM

✔ 50 GB PCIe4 NVMe Disk

✔ 1854 GeekBench Score

✔ Unmetered Data Transfer

NVME 2 VPS

Now just $43 .99
/mo

GET YOUR VPS

- interface: enp0s1
  cluster-id: 98

- interface: default
  #threads: auto
  #use-mmap: no
  #tpacket-v3: yes

In this example we added, the “enp0s1” as a network interface, and the cluster-id number 98. Please note the cluster-id number should be unique in this file.

Suricata Rulesets

The limited set of detection rules included by Suricata is located at /etc/suricata/rules directory. To fetch the rulesets from external providers you need to execute the command with the update tool that Suricata includes:

sudo suricata-update -o /etc/suricata/rules

You should receive the following output:

23/12/2021 -- 16:49:57 -  -- Using data-directory /var/lib/suricata.
23/12/2021 -- 16:49:57 -  -- Using Suricata configuration /etc/suricata/suricata.yaml
23/12/2021 -- 16:49:57 -  -- Using /etc/suricata/rules for Suricata provided rules.
23/12/2021 -- 16:49:57 -  -- Found Suricata version 6.0.1 at /usr/bin/suricata.
23/12/2021 -- 16:49:57 -  -- Loading /etc/suricata/suricata.yaml
23/12/2021 -- 16:49:57 -  -- Disabling rules for protocol http2
23/12/2021 -- 16:49:57 -  -- Disabling rules for protocol modbus
23/12/2021 -- 16:49:57 -  -- Disabling rules for protocol dnp3
23/12/2021 -- 16:49:57 -  -- Disabling rules for protocol enip
23/12/2021 -- 16:49:57 -  -- No sources configured, will use Emerging Threats Open
23/12/2021 -- 16:49:57 -  -- Fetching https://rules.emergingthreats.net/open/suricata-6.0.1/emerging.rules.tar.gz.
 100% - 3119656/3119656
23/12/2021 -- 16:49:58 -  -- Done.
23/12/2021 -- 16:49:58 -  -- Loading distribution rule file /etc/suricata/rules/app-layer-events.rules
23/12/2021 -- 16:49:58 -  -- Loading distribution rule file /etc/suricata/rules/decoder-events.rules
23/12/2021 -- 16:49:58 -  -- Loading distribution rule file /etc/suricata/rules/dhcp-events.rules
23/12/2021 -- 16:49:58 -  -- Loading distribution rule file /etc/suricata/rules/dnp3-events.rules
23/12/2021 -- 16:49:58 -  -- Loading distribution rule file /etc/suricata/rules/dns-events.rules
23/12/2021 -- 16:49:58 -  -- Loading distribution rule file /etc/suricata/rules/files.rules
23/12/2021 -- 16:49:58 -  -- Loading distribution rule file /etc/suricata/rules/http-events.rules
23/12/2021 -- 16:49:58 -  -- Loading distribution rule file /etc/suricata/rules/ipsec-events.rules
23/12/2021 -- 16:49:58 -  -- Loading distribution rule file /etc/suricata/rules/kerberos-events.rules
23/12/2021 -- 16:49:58 -  -- Loading distribution rule file /etc/suricata/rules/modbus-events.rules
23/12/2021 -- 16:49:58 -  -- Loading distribution rule file /etc/suricata/rules/nfs-events.rules
23/12/2021 -- 16:49:58 -  -- Loading distribution rule file /etc/suricata/rules/ntp-events.rules
23/12/2021 -- 16:49:58 -  -- Loading distribution rule file /etc/suricata/rules/smb-events.rules
23/12/2021 -- 16:49:58 -  -- Loading distribution rule file /etc/suricata/rules/smtp-events.rules
23/12/2021 -- 16:49:58 -  -- Loading distribution rule file /etc/suricata/rules/stream-events.rules
23/12/2021 -- 16:49:58 -  -- Loading distribution rule file /etc/suricata/rules/tls-events.rules
23/12/2021 -- 16:49:58 -  -- Ignoring file rules/emerging-deleted.rules
23/12/2021 -- 16:50:04 -  -- Loaded 31699 rules.
23/12/2021 -- 16:50:05 -  -- Disabled 14 rules.
23/12/2021 -- 16:50:05 -  -- Enabled 0 rules.
23/12/2021 -- 16:50:05 -  -- Modified 0 rules.
23/12/2021 -- 16:50:05 -  -- Dropped 0 rules.
23/12/2021 -- 16:50:05 -  -- Enabled 131 rules for flowbit dependencies.
23/12/2021 -- 16:50:05 -  -- Backing up current rules.
23/12/2021 -- 16:50:05 -  -- Writing rules to /etc/suricata/rules/suricata.rules: total: 31699; enabled: 24319; added: 31699; removed 0; modified: 0
23/12/2021 -- 16:50:05 -  -- Writing /etc/suricata/rules/classification.config
23/12/2021 -- 16:50:06 -  -- Testing with suricata -T.
23/12/2021 -- 16:50:44 -  -- Done.

Test the configuration

At the end when everything is set up such as network interface, community flow ID, and rules we can check the Suricata configuration if everything is OK with it, by executing the command below:

suricata -T /etc/suricata/suricata.yaml

You should receive the output as described below:

root@vps:~# suricata -T /etc/suricata/suricata.yaml
23/12/2021 -- 16:51:15 -  - Running suricata under test mode
23/12/2021 -- 16:51:15 -  - This is Suricata version 6.0.1 RELEASE running in SYSTEM mode
23/12/2021 -- 16:51:52 -  - Configuration provided was successfully loaded. Exiting.

That’s it. You successfully installed and configured the Suricata Network Security Tool on Debian 11. If you find it difficult to use, you can contact our admins and they will configure it for you. We are available 24/7.

If you liked this post on how to install Suricata on Debian 11, please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.

How To Install Suricata on Debian 11