Post

Getting Started with Suricata: Installation, Configuration, and Rule Management

Posted
By Ahmed Aljorani 10 min read

Overview

Suricata is a high-performance, open-source network analysis and threat detection software used globally. It provides:

  • High-fidelity network alerts for real-time threat detection
  • Rich protocol analysis including HTTP, DNS, TLS, and more
  • Flow data and file transaction logs in industry-standard JSON format
  • Easy integration with popular SIEM systems
  • Full packet capture capabilities
  • Real-time file extraction and analysis

Modes of Operation

Suricata operates in two primary modes:

1. Real-Time Network Interface Monitoring

  • Most common deployment method
  • Listens directly on network interfaces for live traffic capture
  • Provides continuous network monitoring and threat detection
  • Requires proper interface configuration in the configuration file
  • Typically runs as a systemd service for automatic management

2. Offline PCAP Ingestion

  • Processes previously captured network traffic files (.pcap files)
  • Useful for forensic analysis and historical investigation
  • Allows testing rule sets against stored network data
  • Batch processing of network captures

Installation

Ubuntu Installation (Using OISF PPA)

The recommended installation method uses the Open Information Security Foundation (OISF) maintained Personal Package Archive (PPA) to ensure you get the latest stable version.

Prerequisites 

1
2
3
4
5
6
7
8

# Install software prerequisites
sudo apt-get install software-properties-common

# Add the OISF maintained PPA
sudo add-apt-repository ppa:oisf/suricata-stable

# Update package references
sudo apt update

Installation Command 

1
2

# Install Suricata
sudo apt install suricata

Verify Installation 

1
2

# Check installed version
suricata -V

Note: Using the OISF PPA ensures you get version 7.0.3+ instead of the older 6.0.4 version in default Ubuntu repositories.

Alma Linux Installation (Using EPEL)

For Red Hat Enterprise Linux derivatives (Alma Linux, Rocky Linux, CentOS), use the Extra Packages for Enterprise Linux (EPEL) repository.

Installation Commands 

1
2
3
4
5
6
7
8

# Enable EPEL repository
sudo dnf install epel-release

# Enable the OISF repository
sudo dnf copr enable @oisf/suricata-7.0

# Install Suricata
sudo dnf install suricata

Verify Installation 

1
2

# Check installed version
suricata -V

Configuration

Primary Configuration File

The main configuration file is located at /etc/suricata/suricata.yaml and contains multiple configuration sections.

Warning: Always backup your configuration file before making changes!

1
2

# Create a backup
sudo cp /etc/suricata/suricata.yaml /etc/suricata/suricata.yaml.backup

Key Configuration Sections

1. Network Variables (Step 1) 

1
2
3
4
5
6
7

vars:
  address-groups:
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
    EXTERNAL_NET: "!$HOME_NET"
    HTTP_SERVERS: "$HOME_NET"
    SMTP_SERVERS: "$HOME_NET"
    SQL_SERVERS: "$HOME_NET"

Important Configuration Notes:

  • HOME_NET: Defines internal IP ranges for your network (critical for proper alert generation)
  • EXTERNAL_NET: Automatically set as negation of HOME_NET
  • Customize HOME_NET to match your actual internal network ranges

Important: Incorrect HOME_NET configuration can lead to false positives or missed detections.

2. Output Configuration (Step 2) 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

# Default log directory
default-log-dir: /var/log/suricata/

# Global statistics
stats:
  enabled: yes

outputs:
  # Fast log format (legacy)
  - fast:
      enabled: yes
      filename: fast.log
  
  # JSON event log (primary output)
  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve.json
      # Community ID correlation
      community-id: false

Key Output Features:

  • eve.json: Primary JSON-formatted output file containing all Suricata data
  • Community ID: Enables correlation with other security tools (Zeek, Wireshark, Elasticsearch)
  • Statistics: Provides performance and operational metrics

3. Network Interface Configuration (Step 3) 

1
2
3
4

af-packet:
  - interface: eth0  # Change to your actual interface
    cluster-id: 99
    cluster-type: cluster_flow

Critical Configuration Step:

First, identify your network interface:

1
2

# List network interfaces
ip a

Then update the configuration to match your interface name:

1

sudo nano /etc/suricata/suricata.yaml

Common interface names include: ens33, ens160, enp0s3, eth0

4. Application Layer Protocols (Step 4) 

1
2
3
4
5
6
7
8
9
10
11
12
13

app-layer:
  protocols:
    http:
      enabled: yes
      extended-logging: yes
    dns:
      enabled: yes
    tls:
      enabled: yes
    ssh:
      enabled: yes
    smtp:
      enabled: yes

RPM-Based Systems Additional Configuration

For RPM-based installations (Alma Linux, CentOS, RHEL), also update the service configuration:

1
2

# Edit the service configuration
sudo nano /etc/sysconfig/suricata

Update the interface parameter:

1
2

# Interface to listen on
INTERFACE=ens160  # Change to match your interface

Note: RPM installations require updating both /etc/suricata/suricata.yaml and /etc/sysconfig/suricata.

Rule Management with Suricata-Update

Overview

Suricata-update is the official rule management tool that ships with recent Suricata versions. It simplifies downloading, managing, and updating rule sets.

Initial Setup (Ubuntu/Debian)

Create Suricata Group and Set Permissions 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

# Add suricata group
sudo groupadd suricata

# Change group ownership
sudo chgrp suricata /etc/suricata

# Create and configure directories
sudo mkdir -p /var/lib/suricata/rules
sudo mkdir -p /var/lib/suricata/update
sudo chgrp suricata /var/lib/suricata/rules
sudo chgrp suricata /var/lib/suricata/update

# Set permissions
sudo chmod 775 /etc/suricata
sudo chmod 775 /var/lib/suricata/rules
sudo chmod 775 /var/lib/suricata/update

# Add current user to suricata group
sudo usermod -aG suricata $USER

Important: Reboot your system after making these permission changes!

Basic Suricata-Update Commands

List Available Sources 

1
2
3
4
5
6
7
8

# Show all available rule sources
suricata-update list-sources

# Show currently enabled sources
suricata-update list-enabled-sources

# Update source index
suricata-update update-sources

Enable/Disable Rule Sources 

1
2
3
4
5
6
7
8

# Enable a rule source (e.g., Emerging Threats Open)
suricata-update enable-source et/open

# Enable additional source
suricata-update enable-source tgreen/hunting

# Disable a source
suricata-update disable-source et/open

Download and Install Rules 

1
2
3
4
5

# Download and install rules from enabled sources
suricata-update

# Download rules with verbose output
suricata-update -v

Tip: By default, suricata-update uses the Emerging Threats Open rule set if no sources are enabled.

Free Sources

Source Description Approximate Rules
et/open Emerging Threats Open (default) ~48,000 rules
tgreen/hunting Travis Green’s hunting rules ~1,000 rules
ptresearch/attackdetection PT Research attack detection Varies

Commercial Sources

  • et/pro: Emerging Threats Pro (requires subscription)
  • snort-subscriber: Snort Subscriber Rules (requires subscription)
  • Various vendor-specific rule sets

Rule Management Best Practices

  1. Start with a smaller rule set for initial deployment
  2. Regularly update rule sources (daily or weekly)
  3. Monitor performance impact of large rule sets
  4. Test rules before production deployment
  5. Customize rules based on your environment

Performance Note: The default ET Open rule set (~48,000 rules) may impact performance on resource-constrained systems.

Service Management

Systemd Service Control

Basic Service Operations 

1
2
3
4
5
6
7
8
9
10
11
12
13
14

# Check service status
sudo systemctl status suricata

# Start Suricata service
sudo systemctl start suricata

# Stop Suricata service
sudo systemctl stop suricata

# Restart Suricata service
sudo systemctl restart suricata

# Enable auto-start on boot
sudo systemctl enable suricata.service

Service Status Interpretation

  • Active (running): Service is operational
  • Inactive (dead): Service is not running
  • Failed: Service encountered an error (check logs for details)

Live Rule Reloading

Suricata provides tools for managing a running instance without service interruption.

Using suricata-sc Command 

1
2
3
4
5
6
7
8
9
10
11

# Reload rules without stopping Suricata
sudo suricata-sc -c reload-rules

# Get rule set statistics
sudo suricata-sc -c ruleset-stats

# Check failed rules
sudo suricata-sc -c ruleset-failed-rules

# Get reload time
sudo suricata-sc -c ruleset-reload-time

Available Management Commands 

1
2
3
4
5
6
7
8

# Show all available commands
suricata-sc -h

# Common commands include:
# - reload-rules: Reload rule sets
# - shutdown: Graceful shutdown
# - capture-mode: Get capture mode info
# - conf-get: Get configuration values

Tip: Using suricata-sc allows zero-downtime rule updates!

Log Files and Output

Primary Output Files

eve.json

  • Location: /var/log/suricata/eve.json
  • Format: JSON (one event per line)
  • Content: All Suricata events (alerts, flow, DNS, HTTP, TLS, etc.)
  • Usage: Primary file for SIEM integration

fast.log

  • Location: /var/log/suricata/fast.log
  • Format: Line-based text
  • Content: Alert information only
  • Usage: Legacy format, similar to Snort

Analyzing Log Output

Using jq for JSON Analysis 

1
2
3
4
5
6
7
8
9
10
11

# View formatted JSON output
sudo tail -f /var/log/suricata/eve.json | jq '.'

# Filter by event type
sudo cat /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'

# Show DNS events
sudo cat /var/log/suricata/eve.json | jq 'select(.event_type=="dns")'

# Show HTTP events
sudo cat /var/log/suricata/eve.json | jq 'select(.event_type=="http")'

Event Types in eve.json

Event Type Description
alert Security alerts from rules
flow Network flow information
dns DNS query/response data
http HTTP transaction logs
tls TLS/SSL connection details
ssh SSH connection information
fileinfo File extraction metadata
stats Performance statistics

Advanced Features

Full Packet Capture

Suricata can perform full packet capture alongside analysis:

1
2
3
4
5

pcap-log:
  enabled: yes
  filename: log.pcap
  limit: 1000mb
  max-files: 2000

File Extraction

Real-time file extraction from network traffic:

1
2
3
4
5
6
7

file-store:
  enabled: yes
  log-dir: files
  force-magic: no
  force-md5: yes
  force-sha1: yes
  force-sha256: yes

Use Case: Extract files for automated malware analysis or forensics.

Community ID Integration

Enable correlation with other security tools:

1
2

community-id: true
community-id-seed: 0

Benefits:

  • Correlate Suricata alerts with Zeek logs
  • Pivot between different security tool data sets
  • Enhanced incident investigation workflows

Troubleshooting

Common Issues

Interface Configuration Problems 

1
2
3
4
5

# Verify interface exists and is up
ip link show

# Check Suricata can access interface
sudo suricata -T -c /etc/suricata/suricata.yaml -v

Permission Issues 

1
2
3
4
5

# Check log file permissions
ls -la /var/log/suricata/

# Verify service user can write to log directory
sudo -u suricata touch /var/log/suricata/test.txt

Configuration Validation 

1
2
3
4
5

# Test configuration file syntax
sudo suricata -T -c /etc/suricata/suricata.yaml

# Test with specific interface
sudo suricata -T -c /etc/suricata/suricata.yaml -i ens33

Log Analysis for Troubleshooting

Check systemd logs 

1
2
3
4
5

# View recent service logs
sudo journalctl -u suricata.service -n 50

# Follow logs in real-time
sudo journalctl -u suricata.service -f

Analyze Suricata stats 

1
2

# View statistics from eve.json
grep '"event_type":"stats"' /var/log/suricata/eve.json | tail -1 | jq '.'

Performance Considerations

Hardware Requirements

Component Minimum Recommended
CPU 2 cores 4+ cores
Memory 4GB RAM 8GB+ RAM
Storage HDD SSD
Network 100 Mbps 1+ Gbps

Note: Interface must support promiscuous mode for proper packet capture.

Performance Tuning Tips

  • Rule optimization: Use specific rule sets for your environment
  • Worker threads: Configure based on CPU cores
  • Memory allocation: Adjust for traffic volume
  • Output optimization: Disable unnecessary logging

Integration Examples

SIEM Integration 

1
2
3
4
5
6
7
8
9
10
11

# Configure log forwarding to Elasticsearch
# Using Filebeat or Logstash to ship eve.json

# Example Filebeat configuration
filebeat.inputs:
- type: log
  paths:
    - /var/log/suricata/eve.json
  fields:
    suricata: true
  json.keys_under_root: true

Monitoring Integration 

1
2
3

# Export metrics for Prometheus/Grafana
# Parse stats events from eve.json
grep '"event_type":"stats"' /var/log/suricata/eve.json | jq '.stats'

Security Best Practices

Service Hardening

  • Run Suricata as non-root user when possible
  • Restrict file system permissions
  • Use dedicated service account
  • Enable SELinux/AppArmor policies

Network Deployment

  • Deploy on network tap or SPAN port
  • Ensure high availability with clustering
  • Implement log rotation and archival
  • Monitor disk space usage

Rule Management Security

  • Verify rule source authenticity
  • Test rules in staging environment
  • Maintain rule set documentation
  • Regular rule performance reviews

Conclusion

Suricata provides robust network security monitoring capabilities with flexible deployment options. Whether used for real-time threat detection or forensic analysis, proper installation, configuration, and maintenance are crucial for effective network security monitoring.

Key Success Factors

  1. Proper network interface configuration
  2. Appropriate HOME_NET definition
  3. Regular rule updates
  4. Performance monitoring
  5. Log management strategy
  6. Integration with security infrastructure

Additional Resources

This guide is based on Suricata version 7.0.3. Commands and configurations may vary slightly in different versions.

Network Security, IDS/IPS
suricata network-security ids ips threat-detection ubuntu alma-linux siem
This post is licensed under CC BY 4.0 by the author.