Welcome to today’s guide on how to install and configure Suricata on Debian 10 (Buster). Suricata is a free to use and open source network threat detection engine. It is designed to be fast & robust, secure, usable and efficient. Its development has matured enough for adoption in any network infrastructure. Suricata is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing.

Suricata uses extensive rules and signature language to inspect network traffic. Additionally, Lua scripting language can be used for the detection of complex threats. YAML and JSON are the supported input and output formats. This ensures there is a deep integration with tools like existing Splunk, SIEMs, Logstash/Elasticsearch, Kibana, and other database become effortless.

Step 1: Update Debian System

Let’s begin our installation by updating the system and upgrading all packages.

sudo apt update

An upgrade of the system can be initiated using the command:

sudo apt upgrade -y

A reboot is always recommended whenever a Linux system is upgraded:

sudo reboot

Step 2: Install Dependency packages

We’ll install Suricata on Debian 10 from the source distribution files which gives the most control over the Suricata installation. Before installation we need to install a number of dependency packages using the commands below.

sudo apt update
sudo apt -y install wget curl make libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev libjansson-dev pkg-config cargo libnetfilter-queue-dev libcap-ng0 libnss3-dev libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev python-yaml

Install extra tools for iptables/nftables IPS integration:

sudo apt install -y libnetfilter-queue-dev libnetfilter-queue1 libnetfilter-log-dev libnetfilter-log1 libnfnetlink-dev libnfnetlink0

Setup Rust support:

sudo apt remove --purge rustc -y
curl -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env

Step 3: Download and build Suricata on Debian 10

Download the latest release of Suricata source code:

export SUR_VERSION=6.0.1
wget https://www.openinfosecfoundation.org/download/suricata-$SUR_VERSION.tar.gz

Extract the file downloaded:

tar xvf suricata-$SUR_VERSION.tar.gz

Navigate to the folder created from file extraction:

cd suricata-$SUR_VERSION/

Build Suricata with IPS capabilities:

./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-rust
make

Run the following commands to install Suricata on Debian 10:

sudo make install

Install initial configuration files to /etc/suricata/:

sudo make install-conf

To make sure the existing list with libraries will be updated with the new library, enter:

sudo ldconfig

Install the tool for updating your Suricata rules

sudo apt install python-pip
sudo pip install --upgrade suricata-update

Update Suricata rules:

sudo suricata-update

Step 4: Configure Suricata on Debian 10

Suricata main configuration file is located in /etc/suricata/suricata.yaml.

Check the available interface cards to identify which one you would like Suricata to use.

$ ifconfig

Create a Suricata systemd unit file.

Instead of eth0, you can enter the interface card of your preference.

$ sudo vim /etc/systemd/system/suricata.service
[Unit]
Description=Suricata Intrusion Detection Service
After=syslog.target network-online.target

[Service]
ExecStartPre=/bin/rm -f /var/run/suricata.pid
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 --pidfile /var/run/suricata.pid $OPTIONS
ExecReload=/bin/kill -USR2 $MAINPID

[Install]
WantedBy=multi-user.target

Reload systemd unit files:

sudo systemctl daemon-reload

Start and enable Suricata service:

sudo systemctl start suricata

Confirm service status:

$ systemctl status suricata
● suricata.service - Suricata Intrusion Detection Service
   Loaded: loaded (/etc/systemd/system/suricata.service; disabled; vendor preset: enabled)
   Active: active (running) since Wed 2021-02-24 20:15:37 UTC; 1min 7s ago
  Process: 13228 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
 Main PID: 13229 (Suricata-Main)
    Tasks: 8 (limit: 2376)
   Memory: 411.4M
   CGroup: /system.slice/suricata.service
           └─13229 /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 --pidfile /var/run/suricata.pid

Feb 24 20:15:37 debian10 systemd[1]: Starting Suricata Intrusion Detection Service...
Feb 24 20:15:37 debian10 systemd[1]: Started Suricata Intrusion Detection Service.
Feb 24 20:15:37 debian10 suricata[13229]: 24/2/2021 -- 20:15:37 - <Notice> - This is Suricata version 5.0.5 RELEASE running in SYSTEM mode
Feb 24 20:16:00 debian10 suricata[13229]: 24/2/2021 -- 20:16:00 - <Notice> - all 2 packet processing threads, 4 management threads initialized, engine started.

Now that you have Suricata installed and running on Debian 10 (Buster), visit the project documentation page to read more on advanced configurations and usage.

More guides:

How To Enable Command Autosuggestions on Zsh

Analyze and Clean Your macOS using Clean Me

Best Books To Learn Kotlin Programming