How to Install Suricata on Ubuntu to Secure Your Network

Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) help prevent cyber criminals from infiltrating your server. These network security tools automatically drop traffic and trigger alerts upon finding a malicious activity.

In an Ubuntu virtual private server (VPS), Suricata is a popular IDS and IPS solution. In addition to being open-source, this network traffic monitoring is available for various operating systems, including Windows and Linux.

In this article, we will explain how to install Suricata on Ubuntu servers to help improve your network security. You will also learn how to modify the default settings and set up new detection rules to suit your VPS security practices.

Prerequisites

Although Suricata doesn’t mention its minimum hardware requirements, we recommend a minimum of 2 CPU cores and 4 GB of RAM to ensure optimal performance.

If you don’t have a VPS hosting plan, we recommend starting with Hostinger’s KVM 2 plan and upgrading as needed.

This plan is ideal since its 2 vCPU cores and 8 GB of RAM provide enough headroom for hosting other applications while still being affordable, costing ₹659.00/month.

For the operating system, ensure your VPS supports Ubuntu 22.04 or later. Older versions might be incompatible with the latest Suricata version.

Hostinger users can use hPanel’s one-click installer to switch to other operating systems. To do so, navigate to your VPS overview menu’s sidebar → OS & Panel → Operating System → Plain OS. Select the latest version of Ubuntu and click Change OS.

Suricata installation also requires root or superuser privileges to run Linux commands. To avoid permission issues and ensure a smooth command-line installation process, choose a VPS hosting provider with full server access, like Hostinger.

Aside from extensive compatibility, the best VPS hosting providers should offer reliable uptime and various features. For example, Hostinger offers AI Assistant, allowing you to simplify tasks by entering different AI prompts for VPS management.

We also provide a Browser terminal that lets you connect to your Ubuntu system without using an SSH client like PuTTY. To access your VPS remotely, use the login credentials in the Overview menu’s SSH Access tab.

All of our VPS hosting plans offer a 99.9% uptime guarantee and a 30-day money-back guarantee.

How to Install Suricata on Ubuntu

In this section, we will explain the steps to install Suricata on a VPS running Ubuntu 22.04. If you want to install it on a gateway host to scan incoming and outgoing network traffic, you might need additional steps, like modifying firewall rules.

1. Update Ubuntu Packages

Before installing Suricata, update APT to ensure you receive the latest local version. This step also applies the newest patches for other system packages to help improve security and avoid incompatibility issues.

To list the available system package updates in your APT repository, run the following command:

sudo apt update

Install updates for all system packages using this command:

sudo apt upgrade

The process might take minutes or hours, depending on the total update size and your internet speed.

2. Install Suricata

There are several methods to install Suricata on Ubuntu. In this section, we will explain the three common ways, starting from the easiest.

Install Suricata Using APT

Use this command to install Suricata on Ubuntu using the local APT repository:

sudo apt install -y suricata

To verify if Suricata is installed properly, check its version number using this command:

suricata -V

Alternatively, list installed packages on Ubuntu using the apt list command and filter Suricata using grep like the following:

sudo apt list --installed | grep suricata

Note that this method might install an older release since you are using the local APT package manager repository.

Install Suricata Using Binary Packages

To install the latest stable release, import the Open Information Security Foundation (OISF) repository from the Suricata server. To do so, run these commands:

sudo apt install software-properties-common

sudo add-apt-repository ppa:oisf/suricata-stable

Press Enter if Terminal asks for confirmation. After importing the repository, update APT and unpack the software with this command:

sudo apt install suricata

If you are running other Debian derivatives, use the backports repository to get the latest stable release. Refer to the Suricata binary packages installation guide to learn more about it.

Install Suricata Using Source Distribution Files

Setting up Suricata from the source distribution files lets you configure the installation settings. However, you will need to install several dependencies and various development headers.

After installing the Suricata dependencies, run the following commands subsequently:

tar xzvf suricata-6.0.0.tar.gz

cd suricata-6.0.0

./configure

make

make install

3. Configure Suricata

The Suricata package includes a YAML configuration file for tweaking the tool’s settings and behavior. You can edit it using a text editor like nano:

sudo nano /etc/suricata/suricata.yaml

The suricata.yaml file has several parameters you can adjust. Here are the most common ones:

• Interface configuration. Determines the method and network interface for capturing the packet. Some of the settings are af;-packets, af-xdp, and pcap.
• Logging. Modifies where Suricata logs the network detection, its format, and alerting level. You can change the settings via the outputs parameter.
• PID file. Sets the process identification (PID) file for running Suricata as a daemon or service. Determine its name and directory in the pid-files parameter.
• Detection rules. Defines the files containing packet-filtering rules and their locations. The parameters are default-rule-path and rule-files, respectively.
• Packet sizes. Changes the maximum packet size to be processed by Suricata and transmitted by your network. Specify the byte value in the max-pending-packet and default-packet-size parameters.
• Community Flow ID. Identifies Suricata network flow to enable integration with another tool like Zeek. The community-id parameter is set to false by default.

Edit the configurations and press Ctrl + X, Y, and Enter to save the changes. To quickly search for a specific parameter, use the Ctrl + W shortcut to enable the lookup feature.

In addition to reading the provided instructions, check the Suricata configuration file documentation to learn more about the settings. For commented parameters like community-id, remove the hash symbol (#) at the beginning to enable them.

4. Enable Network Interfaces

To process network traffic and block malicious packets from damaging your system, Suricata must monitor an interface.

By default, Suricata doesn’t track any connectivity from and to your server. Users must specify which network interface to monitor and determine the packet capture method via the YAML file.

For example, we want to use the af-packet capture method and monitor the venet0 network interface. Here’s how the configuration looks:

af-packet:
   - interface: venet0

Enter this command to display the default interface and other routing information:

ip -p -j route show

Set the packet capture method based on your needs. For example, the af-packet is suitable for live network tracking, while pcap is ideal for offline analysis.

To monitor multiple network interfaces, add these new lines at the bottom of the capture method section. Ensure the cluster-ID is unique:

-  interface: interface name
   cluster-id: 29

5. Start Suricata

Enable the Suricata service using the systemctl command to run it in the background:

sudo systemctl start suricata

To check if it is running correctly, run the following:

sudo systemctl status suricata

If the Suricata service is running, Terminal should show the loaded and active statuses like the following.

Remember, always restart the Suricata service after modifying the configuration file to ensure the new settings apply properly. Here’s the command:

sudo systemctl restart suricata

Alternatively, stop Suricata and rerun it using the systemctl start command. To terminate the daemon, enter the following:

sudo systemctl stop suricata

6. Automate Suricata Startup

Automating Suricata startup helps maintain optimal VPS security since you don’t need to manually reactivate it after rebooting the system. This helps improve server management efficiency.

To do so, create a new systemd service unit file to automatically deploy Suricata when the server starts using the following command:

sudo nano /etc/systemd/system/suricata.service

Within the service unit file, enter the following lines:

# Define the Suricata systemd unit
[Unit]
Description=Suricata IDS/IPS
After=network.target

# Specify the Suricata binary path, the configuration files location, and the network interface
[Service]
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i venet0
[Install]

WantedBy=default.target

Press Ctrl + X, Y, and Enter to save the changes. Run the following command to enable Suricata to load automatically upon system boot:

sudo systemctl enable suricata

Then, run the systemctl start command to start Suricata. Check the status to ensure the service is running.

If Terminal returns the “No rule files match” error, Suricata might not be able to load the network monitoring rules. To fix it, run suricata-update to refresh the directory path.

Then, open the suricata.yaml file and modify the configuration rules, like the following:

default-rule-path: /var/lib/suricata/rules

rule-files:
   - suricata.rules

Save the file and restart the service to apply the changes.

7. Test Suricata Functionality

After starting Suricata, validate its configuration file to ensure the tool works. The easiest way to do this is by using the built-in test command:

sudo suricata -T -c /etc/suricata/suricata.yaml -v

The -T option lets you run the Suricata test mode, and -c allows you to find the configuration file in the specified path. Additionally, the -v option enables verbose mode, providing details about command execution, including errors.

If you have numerous rules and limited CPU threads, the process will run longer but shouldn’t exceed a few minutes. Terminal will print the test logs like the following.

During this step, look for the warning message indicating misconfiguration in your YAML file. To simplify troubleshooting, we recommend asking our VPS AI Assistant for solutions.

Then, check Suricata rules to ensure they detect malicious traffic properly. The Suricata quick start guide recommends using ET Open rule number 2100498 and connecting to a test URL using the curl command:

curl http://testmynids.org/uid/index.html

The command will send an HTTP request to trigger the alert rule. Then, Suricata will generate log events in the eve.json and fast.log file about the detected traffic.

Check whether Suricata labels the HTTP request as potentially malicious traffic in the fast.log file. To do so, run the grep utility to filter the rule ID number:

grep 2100498 /var/log/suricata/fast.log

The output should show a log labeling the packet as “Potentially Bad Traffic.”

Since the eve log formats its entries as JSON, analyzing it requires the jq utility. Skip this step if you have installed the utility. Otherwise, run the following:

sudo apt install jq

Then, enter the following command to filter the log file entries based on the signature ID and alert type:

jq 'select(.alert .signature_id==2100498)' /var/log/suricata/eve.json

You should see the rule ID and the same “Potentially Bad Traffic” category. It means Suricata has matched your network traffic with the correct detection rule.

These logs are helpful for alert management and network security monitoring. For example, you can block suspicious traffic sources in Ubuntu’s Uncomplicated Firewall (UFW) or iptables.

8. Update Suricata Rules

Suricata detects suspicious packets using user-defined signatures or rules. It includes some by default, but they might be insufficient if your server receives traffic from many sources.

To add new rules, fetch additional rulesets from various third-party providers. While some of them are free, others might charge a subscription fee. To list them, run the following command:

sudo suricata-update list-sources

You will see the providers’ vendors, summaries, licenses, and subscription information. To import a ruleset, run the following command:

sudo suricata-update enable-source provider-name

Replace the provider-name placeholder with your desired ruleset source. For example, run this to retrieve sslbl/ja3-fingerprints:

sudo suricata-update enable-source sslbl/ja3-fingerprints

Then, rerun the suricata-update command to update and validate the rule files in the /etc/suricata/rules directory. If you don’t add an external source, updating Suricata will retrieve the default rules from ET OPEN.

After updating the default ET OPEN source, you will see that Suricata has processed inspecting packet payload signature and ip-only rules.

The update message should end with the tool cleaning up the signature grouping structure. If you are up-to-date, Terminal will print “No changes detected, exiting.”

We recommend running the Suricata update tool regularly to ensure your system receives the latest rule. Enforcing the newest detection method helps maintain optimal Ubuntu server security.

Optionally, use Suricata rules management tools like Pulledpork and Oinkmaster to fine-tune the detection method. Use nano to modify the file:

sudo nano /etc/suricata/rules/rule_name.rules

The Suricata rule syntax is as follows:

action protocol source-ip/port -> destination-ip/port (options; options; ... )

Here are what each parameter means and its accepted values:

• action. The action to take when the rule condition is met. Possible values include drop, alert, and log.
• protocol. The monitored network protocol, including TCP, UDP, ICMP, or IP.
• source-ip/port. The IP and port from which the traffic originates.
• destination-ip/port. The IP and port on which the rule applies.
• (options; options; …). Keywords determining additional settings or conditions.

To learn more about these parameters and possible options, check out the Suricata rules documentation. 

Conclusion

Suricata is an open-source IDS and IPS system that helps prevent malicious traffic from infiltrating your server to improve your system security. It works by detecting and dropping suspicious traffic based on a rule.

In this article, we have explained the Suricata configuration on Ubuntu 22.04 or later. After installing the distribution and gaining root access to your server via SSH, follow these steps:

1. Update Ubuntu packages. Run the apt update and apt upgrade command to install the latest version of all packages.
2. Install Suricata. Install the tool via APT or the OISF repository if you want the newest Suricata version.
3. Configure Suricata. Use a text editor like nano to edit the suricata.yaml file and tweak the default configuration.
4. Enable Network interfaces. Change the packet capture method and network interface parameter to enable Suricata to monitor your server’s traffic.
5. Start Suricata. Run the systemctl command to start Suricata as a daemon.
6. Automate Suricata startup. Create a Suricata systemd service unit file and use systemctl to enable the tool during system startup.
7. Test Suricata functionality. Validate the Suricata configuration file using the built-in test feature and check the rules by sending a mock-up HTTP request.
8. Update Suricata rules. Run suricata-update with the enable-source flag to retrieve a ruleset from an external source. Update Suricata to apply and validate the new rules.

We hope this article helps you install the tool in your Ubuntu VPS. If you have any questions or encounter issues during the setup process, leave us a comment below.