{"id":101639,"date":"2024-01-11T07:51:19","date_gmt":"2024-01-11T07:51:19","guid":{"rendered":"\/tutorials\/?p=101639"},"modified":"2025-03-27T05:54:36","modified_gmt":"2025-03-27T05:54:36","slug":"how-to-install-suricata-on-ubuntu","status":"publish","type":"post","link":"\/tutorials\/how-to-install-suricata-on-ubuntu","title":{"rendered":"How to install Suricata on Ubuntu to secure your network"},"content":{"rendered":"<p>Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) help prevent cyber criminals from infiltrating your server. These network security tools automatically drop traffic and trigger alerts upon finding a malicious activity.<\/p><p>In an Ubuntu virtual private server (VPS), Suricata is a popular IDS and IPS solution. In addition to being open-source, this network traffic monitoring is available for various operating systems, including Windows and Linux.<\/p><p>In this article, we will explain how to install Suricata on Ubuntu servers to help improve your network security. You will also learn how to modify the default settings and set up new detection rules to suit your VPS security practices.<\/p><div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><a href=\"https:\/\/assets.hostinger.com\/content\/tutorials\/pdf\/Linux-Commands-Cheat-Sheet.pdf\" target=\"_blank\" rel=\"noopener\"><img decoding=\"async\" width=\"2048\" height=\"566\" src=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2022\/11\/Linux-cheat-sheet.png\/public\" alt=\"\" class=\"wp-image-69262\" srcset=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2022\/11\/Linux-cheat-sheet.png\/w=2048,fit=scale-down 2048w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2022\/11\/Linux-cheat-sheet.png\/w=300,fit=scale-down 300w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2022\/11\/Linux-cheat-sheet.png\/w=1024,fit=scale-down 1024w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2022\/11\/Linux-cheat-sheet.png\/w=150,fit=scale-down 150w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2022\/11\/Linux-cheat-sheet.png\/w=768,fit=scale-down 768w\" sizes=\"(max-width: 2048px) 100vw, 2048px\" \/><\/a><\/figure><\/div><p>\n\n\n\n\n\n<\/p><h2 class=\"wp-block-heading\" id=\"h-prerequisites\">Prerequisites<\/h2><p>Although Suricata doesn&rsquo;t mention its minimum hardware requirements, we recommend a minimum of <strong>2 CPU<\/strong> cores and <strong>4 GB<\/strong> of RAM to ensure optimal performance.<\/p><p>If you don&rsquo;t have a <a href=\"\/vps-hosting\">VPS hosting plan<\/a>, we recommend starting with <strong>Hostinger&rsquo;s KVM 2<\/strong> plan and upgrading as needed. <\/p><p>This plan is ideal since its<strong> 2 vCPU<\/strong> cores and<strong> 8 GB of RAM<\/strong> provide enough headroom for hosting other applications while still being affordable, costing <strong>$8.99\/month<\/strong>.<\/p><p>For the operating system, ensure your VPS supports <strong>Ubuntu 22.04<\/strong> or later. Older versions might be incompatible with the latest Suricata version.<\/p><p>Hostinger users can use <strong>hPanel<\/strong>&rsquo;s one-click installer to switch to other operating systems. To do so, navigate to your <strong>VPS overview<\/strong> menu&rsquo;s sidebar &rarr; <strong>OS &amp; Panel<\/strong> &rarr; <strong>Operating System<\/strong> &rarr; <strong>Plain OS<\/strong>. Select the <strong>Ubuntu<\/strong> and click <strong>Change OS<\/strong>.<\/p><div class=\"wp-block-image\">\n<figure data-wp-context='{\"imageId\":\"69e0033f5e4ba\"}' data-wp-interactive=\"core\/image\" class=\"aligncenter size-full wp-lightbox-container\"><img decoding=\"async\" width=\"1460\" height=\"323\" data-wp-class--hide=\"state.isContentHidden\" data-wp-class--show=\"state.isContentVisible\" data-wp-init=\"callbacks.setButtonStyles\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-on-async--load=\"callbacks.setButtonStyles\" data-wp-on-async-window--resize=\"callbacks.setButtonStyles\" src=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2019\/03\/ubuntu-in-hpanel-os-configuration-menu.png\/public\" alt=\"The Ubuntu VPS template on hPanel's operating system configuration page\" class=\"wp-image-125844\" srcset=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2019\/03\/ubuntu-in-hpanel-os-configuration-menu.png\/w=1460,fit=scale-down 1460w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2019\/03\/ubuntu-in-hpanel-os-configuration-menu.png\/w=300,fit=scale-down 300w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2019\/03\/ubuntu-in-hpanel-os-configuration-menu.png\/w=1024,fit=scale-down 1024w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2019\/03\/ubuntu-in-hpanel-os-configuration-menu.png\/w=150,fit=scale-down 150w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2019\/03\/ubuntu-in-hpanel-os-configuration-menu.png\/w=768,fit=scale-down 768w\" sizes=\"(max-width: 1460px) 100vw, 1460px\" \/><button class=\"lightbox-trigger\" type=\"button\" aria-haspopup=\"dialog\" aria-label=\"Enlarge\" data-wp-init=\"callbacks.initTriggerButton\" data-wp-on-async--click=\"actions.showLightbox\" data-wp-style--right=\"state.imageButtonRight\" data-wp-style--top=\"state.imageButtonTop\">\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"12\" height=\"12\" fill=\"none\" viewbox=\"0 0 12 12\">\n\t\t\t\t<path fill=\"#fff\" d=\"M2 0a2 2 0 0 0-2 2v2h1.5V2a.5.5 0 0 1 .5-.5h2V0H2Zm2 10.5H2a.5.5 0 0 1-.5-.5V8H0v2a2 2 0 0 0 2 2h2v-1.5ZM8 12v-1.5h2a.5.5 0 0 0 .5-.5V8H12v2a2 2 0 0 1-2 2H8Zm2-12a2 2 0 0 1 2 2v2h-1.5V2a.5.5 0 0 0-.5-.5H8V0h2Z\"><\/path>\n\t\t\t<\/svg>\n\t\t<\/button><\/figure><\/div><p>Suricata installation also requires root or superuser privileges to run <a href=\"\/tutorials\/linux-commands\">Linux commands<\/a>. To avoid permission issues and ensure a smooth command-line installation process, choose a VPS hosting provider with full server access, like Hostinger.<\/p><p>Aside from extensive compatibility, the <a href=\"\/tutorials\/best-vps-hosting\">best VPS hosting providers<\/a> should offer reliable uptime and various features. For example, Hostinger comes with an<strong> <\/strong>AI Assistant <strong>Kodee<\/strong>, allowing you to simplify tasks by entering different <a href=\"\/tutorials\/ai-prompts-for-vps-management\">AI prompts for VPS management<\/a>.<\/p><p>We also provide a <strong>Browser terminal<\/strong> that lets you connect to your Ubuntu system without <a href=\"\/tutorials\/how-to-use-putty-ssh\">using an SSH client like PuTTY<\/a>. To access your VPS remotely, use the login credentials in the Overview menu&rsquo;s <strong>SSH Access<\/strong> tab.<\/p><p>\n\n\n<div><p class=\"important\"><strong>Important!<\/strong> By default, you will log in as the root user. We recommend switching to another account with superuser privileges to avoid accidentally executing destructive commands.<\/p><\/div>\n\n\n\n<\/p><p>All of our VPS hosting plans offer a<strong> 99.9% uptime guarantee<\/strong> and a <strong>30-day money-back guarantee<\/strong>.<\/p><figure class=\"wp-block-image size-large\"><a class=\"hgr-tutorials-cta hgr-tutorials-cta-vps-hosting\" href=\"\/vps-hosting\" target=\"_blank\" rel=\"noreferrer noopener\"><img decoding=\"async\" width=\"1024\" height=\"300\" src=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2023\/02\/VPS-hosting-banner.png\/public\" alt=\"\" class=\"wp-image-77934\" srcset=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2023\/02\/VPS-hosting-banner.png\/w=1024,fit=scale-down 1024w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2023\/02\/VPS-hosting-banner.png\/w=300,fit=scale-down 300w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2023\/02\/VPS-hosting-banner.png\/w=150,fit=scale-down 150w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2023\/02\/VPS-hosting-banner.png\/w=768,fit=scale-down 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure><h2 class=\"wp-block-heading\" id=\"h-how-to-install-suricata-on-ubuntu\">How to install Suricata on Ubuntu<\/h2><p>In this section, we will explain the steps to install Suricata on a VPS running <strong>Ubuntu 22.04<\/strong>. If you want to install it on a gateway host to scan incoming and outgoing network traffic, you might need additional steps, like modifying firewall rules.<\/p><h3 class=\"wp-block-heading\" id=\"h-1-update-ubuntu-packages\">1. Update Ubuntu packages<\/h3><p>Before installing Suricata, update APT to ensure you receive the latest local version. This step also applies the newest patches for other system packages to help improve security and avoid incompatibility issues.<\/p><p>To list the available system package updates in your APT repository, run the following command:<\/p><pre class=\"wp-block-preformatted\">sudo apt update<\/pre><p>Install updates for all system packages using this command:<\/p><pre class=\"wp-block-preformatted\">sudo apt upgrade<\/pre><p>The process might take minutes or hours, depending on the total update size and your internet speed.<\/p><h3 class=\"wp-block-heading\" id=\"h-2-install-suricata\">2. Install Suricata<\/h3><p>There are several methods to install Suricata on Ubuntu. In this section, we will explain the three common ways, starting from the easiest.<\/p><p><strong>Install Suricata using APT<\/strong><\/p><p>Use this command to install Suricata on Ubuntu using the local APT repository:<\/p><pre class=\"wp-block-preformatted\">sudo apt install -y suricata<\/pre><p>To verify if Suricata is installed properly, check its version number using this command:<\/p><pre class=\"wp-block-preformatted\">suricata -V<\/pre><div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-returns-installed-suricata-version-number.png\"><img decoding=\"async\" width=\"778\" height=\"44\" src=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-returns-installed-suricata-version-number.png\/public\" alt=\"Terminal returns the installed Suricata version number\" class=\"wp-image-101641\" srcset=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-returns-installed-suricata-version-number.png\/w=778,fit=scale-down 778w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-returns-installed-suricata-version-number.png\/w=300,fit=scale-down 300w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-returns-installed-suricata-version-number.png\/w=150,fit=scale-down 150w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-returns-installed-suricata-version-number.png\/w=768,fit=scale-down 768w\" sizes=\"(max-width: 778px) 100vw, 778px\" \/><\/a><\/figure><\/div><p>\n\n<div><p class=\"important\"><strong>Important!<\/strong> Ensure correct capitalization when entering commands since they are case-sensitive.<\/p><\/div>\n\n\n\n<\/p><p>Alternatively, <a href=\"\/tutorials\/how-to-list-installed-packages-on-ubuntu\/\">list installed packages on Ubuntu<\/a> using the <strong>apt list<\/strong> command and filter Suricata using <strong>grep <\/strong>like the following:<\/p><pre class=\"wp-block-preformatted\">sudo apt list --installed | grep suricata<\/pre><p>Note that this method might install an older release since you are using the local APT package manager repository.<\/p><p><strong>Install Suricata using binary packages<\/strong><\/p><p>To install the latest stable release, import the <a href=\"https:\/\/suricata.io\/our-story\/oisf\/\" target=\"_blank\" rel=\"noreferrer noopener\">Open Information Security Foundation (OISF)<\/a> repository from the Suricata server. To do so, run these commands:<\/p><pre class=\"wp-block-preformatted\">sudo apt install software-properties-common<\/pre><pre class=\"wp-block-preformatted\">sudo add-apt-repository ppa:oisf\/suricata-stable<\/pre><p>Press <strong>Enter<\/strong> if Terminal asks for confirmation. After importing the repository, update APT and unpack the software with this command:<\/p><pre class=\"wp-block-preformatted\">sudo apt install suricata<\/pre><p>If you are running other Debian derivatives, use the backports repository to get the latest stable release. Refer to the <a href=\"https:\/\/docs.suricata.io\/en\/latest\/install.html#debian\" target=\"_blank\" rel=\"noreferrer noopener\">Suricata binary packages installation guide<\/a> to learn more about it.<\/p><p><strong>Install Suricata using source distribution files<\/strong><\/p><p>Setting up Suricata from the source distribution files lets you configure the installation settings. However, you will need to install several dependencies and various development headers.<\/p><p>After installing the <a href=\"https:\/\/docs.suricata.io\/en\/latest\/install.html#dependencies\" target=\"_blank\" rel=\"noreferrer noopener\">Suricata dependencies<\/a>, run the following commands subsequently:<\/p><pre class=\"wp-block-preformatted\">tar xzvf suricata-6.0.0.tar.gz<\/pre><pre class=\"wp-block-preformatted\">cd suricata-6.0.0<\/pre><pre class=\"wp-block-preformatted\">.\/configure<\/pre><pre class=\"wp-block-preformatted\">make<\/pre><pre class=\"wp-block-preformatted\">make install<\/pre><h3 class=\"wp-block-heading\" id=\"h-3-configure-suricata\">3. Configure Suricata<\/h3><p>The Suricata package includes a <strong>YAML<\/strong> configuration file for tweaking the tool&rsquo;s settings and behavior. You can edit it <a href=\"\/tutorials\/how-to-install-and-use-nano-text-editor\">using a text editor like <strong>nano<\/strong><\/a>:<\/p><pre class=\"wp-block-preformatted\">sudo nano \/etc\/suricata\/suricata.yaml<\/pre><p>The <strong>suricata.yaml<\/strong> file has several parameters you can adjust. Here are the most common ones:<\/p><ul class=\"wp-block-list\">\n<li><strong>Interface configuration<\/strong>. Determines the method and network interface for capturing the packet. Some of the settings are <strong>af;-packets<\/strong>, <strong>af-xdp<\/strong>, and <strong>pcap<\/strong>.<\/li>\n\n\n\n<li><strong>Logging<\/strong>. Modifies where Suricata logs the network detection, its format, and alerting level. You can change the settings via the <strong>outputs <\/strong>parameter.<\/li>\n\n\n\n<li><strong>PID file<\/strong>. Sets the process identification (PID) file for running Suricata as a daemon or service. Determine its name and directory in the <strong>pid-files<\/strong> parameter.<\/li>\n\n\n\n<li><strong>Detection rules<\/strong>. Defines the files containing packet-filtering rules and their locations. The parameters are <strong>default-rule-path<\/strong> and <strong>rule-files<\/strong>, respectively.<\/li>\n\n\n\n<li><strong>Packet sizes<\/strong>. Changes the maximum packet size to be processed by Suricata and transmitted by your network. Specify the <strong>byte <\/strong>value in the <strong>max-pending-packet<\/strong> and <strong>default-packet-size<\/strong> parameters.<\/li>\n\n\n\n<li><strong>Community Flow ID<\/strong>. Identifies Suricata network flow to enable integration with another tool like <a href=\"https:\/\/zeek.org\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Zeek<\/strong><\/a>. The <strong>community-id<\/strong> parameter is set to <strong>false<\/strong> by default.<\/li>\n<\/ul><p>Edit the configurations and press <strong>Ctrl + X<\/strong>, <strong>Y<\/strong>, and <strong>Enter<\/strong> to save the changes. To quickly search for a specific parameter, use the <strong>Ctrl + W<\/strong> shortcut to enable the lookup feature.<\/p><p>In addition to reading the provided instructions, check the <a href=\"https:\/\/docs.suricata.io\/en\/latest\/configuration\/suricata-yaml.html\" target=\"_blank\" rel=\"noreferrer noopener\">Suricata configuration file documentation<\/a> to learn more about the settings. For commented parameters like <strong>community-id<\/strong>, remove the hash symbol (<strong>#<\/strong>) at the beginning to enable them.<\/p><h3 class=\"wp-block-heading\" id=\"h-4-enable-network-interfaces\">4. Enable network interfaces<\/h3><p>To process network traffic and block malicious packets from damaging your system, Suricata must monitor an interface.<\/p><p>By default, Suricata doesn&rsquo;t track any connectivity from and to your server. Users must specify which network interface to monitor and determine the packet capture method via the <strong>YAML<\/strong> file.<\/p><p>For example, we want to use the <strong>af-packet<\/strong> capture method and monitor the <strong>venet0<\/strong> network interface. Here&rsquo;s how the configuration looks:<\/p><pre class=\"wp-block-preformatted\">af-packet:\n   - interface: venet0<\/pre><p>Enter this command to display the default interface and other routing information:<\/p><pre class=\"wp-block-preformatted\">ip -p -j route show<\/pre><p>Set the packet capture method based on your needs. For example, the <strong>af-packet<\/strong> is suitable for live network tracking, while <strong>pcap<\/strong> is ideal for offline analysis.<\/p><p>To monitor multiple network interfaces, add these new lines at the bottom of the capture method section. Ensure the <strong>cluster-ID <\/strong>is unique:<\/p><pre class=\"wp-block-preformatted\">-&nbsp; interface: interface name\n   cluster-id: 29<\/pre><h3 class=\"wp-block-heading\" id=\"h-5-start-suricata\">5. Start Suricata<\/h3><p>Enable the Suricata service using the <strong>systemctl<\/strong> command to run it in the background:<\/p><pre class=\"wp-block-preformatted\">sudo systemctl start suricata<\/pre><p>To check if it is running correctly, run the following:<\/p><pre class=\"wp-block-preformatted\">sudo systemctl status suricata<\/pre><p>If the Suricata service is running, Terminal should show the<strong> loaded<\/strong> and <strong>active<\/strong> statuses like the following.<\/p><div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><a href=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-shows-suricata-service-status.png\"><img decoding=\"async\" width=\"1368\" height=\"165\" src=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-shows-suricata-service-status.png\/public\" alt=\"Terminal shows Suricata service status\" class=\"wp-image-101642\" srcset=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-shows-suricata-service-status.png\/w=1368,fit=scale-down 1368w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-shows-suricata-service-status.png\/w=300,fit=scale-down 300w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-shows-suricata-service-status.png\/w=1024,fit=scale-down 1024w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-shows-suricata-service-status.png\/w=150,fit=scale-down 150w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-shows-suricata-service-status.png\/w=768,fit=scale-down 768w\" sizes=\"(max-width: 1368px) 100vw, 1368px\" \/><\/a><\/figure><\/div><p>Remember, always restart the Suricata service after modifying the configuration file to ensure the new settings apply properly. Here&rsquo;s the command:<\/p><pre class=\"wp-block-preformatted\">sudo systemctl restart suricata<\/pre><p>Alternatively, stop Suricata and rerun it using the <strong>systemctl start <\/strong>command. To terminate the daemon, enter the following:<\/p><pre class=\"wp-block-preformatted\">sudo systemctl stop suricata<\/pre><h3 class=\"wp-block-heading\" id=\"h-6-automate-suricata-startup\">6. Automate Suricata startup<\/h3><p>Automating Suricata startup helps maintain optimal <a href=\"\/tutorials\/vps-security\">VPS security<\/a> since you don&rsquo;t need to manually reactivate it after rebooting the system. This helps improve server management efficiency.<\/p><p>To do so, create a new <strong>systemd<\/strong> service unit file to automatically deploy Suricata when the server starts using the following command:<\/p><pre class=\"wp-block-preformatted\">sudo nano \/etc\/systemd\/system\/suricata.service<\/pre><p>Within the service unit file, enter the following lines:<\/p><pre class=\"wp-block-preformatted\"># Define the Suricata systemd unit\n[Unit]\nDescription=Suricata IDS\/IPS\nAfter=network.target\n\n# Specify the Suricata binary path, the configuration files location, and the network interface\n[Service]\nExecStart=\/usr\/bin\/suricata -c \/etc\/suricata\/suricata.yaml -i venet0\n[Install]\n\nWantedBy=default.target<\/pre><p>Press <strong>Ctrl + X<\/strong>, <strong>Y<\/strong>, and <strong>Enter<\/strong> to save the changes. Run the following command to enable Suricata to load automatically upon system boot:<\/p><pre class=\"wp-block-preformatted\">sudo systemctl enable suricata<\/pre><p>Then, run the <strong>systemctl start<\/strong> command to start Suricata. Check the status to ensure the service is running.<\/p><p>If Terminal returns the &ldquo;<strong>No rule files match<\/strong>&rdquo; error, Suricata might not be able to load the network monitoring rules. To fix it, run <strong>suricata-update <\/strong>to refresh the directory path.<\/p><p>Then, open the <strong>suricata.yaml<\/strong> file and modify the configuration rules, like the following:<\/p><pre class=\"wp-block-preformatted\">default-rule-path: \/var\/lib\/suricata\/rules<\/pre><pre class=\"wp-block-preformatted\">rule-files:\n   - suricata.rules<\/pre><p>Save the file and restart the service to apply the changes.<\/p><h3 class=\"wp-block-heading\" id=\"h-7-test-suricata-functionality\">7. Test Suricata functionality<\/h3><p>After starting Suricata, validate its configuration file to ensure the tool works. The easiest way to do this is by using the built-in test command:<\/p><pre class=\"wp-block-preformatted\">sudo suricata -T -c \/etc\/suricata\/suricata.yaml -v<\/pre><p>The <strong>-T<\/strong> option lets you run the Suricata test mode, and <strong>-c<\/strong> allows you to find the configuration file in the specified path. Additionally, the<strong> -v<\/strong> option enables verbose mode, providing details about command execution, including errors.<\/p><p>If you have numerous rules and limited CPU threads, the process will run longer but shouldn&rsquo;t exceed a few minutes. Terminal will print the test logs like the following.<\/p><div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><a href=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2024\/01\/suricata-test-event-logs.png\"><img decoding=\"async\" width=\"1825\" height=\"287\" src=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/suricata-test-event-logs.png\/public\" alt=\"Suricata test event logs\" class=\"wp-image-101643\" srcset=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/suricata-test-event-logs.png\/w=1825,fit=scale-down 1825w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/suricata-test-event-logs.png\/w=300,fit=scale-down 300w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/suricata-test-event-logs.png\/w=1024,fit=scale-down 1024w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/suricata-test-event-logs.png\/w=150,fit=scale-down 150w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/suricata-test-event-logs.png\/w=768,fit=scale-down 768w\" sizes=\"(max-width: 1825px) 100vw, 1825px\" \/><\/a><\/figure><\/div><p>During this step, look for the warning message indicating misconfiguration in your <strong>YAML<\/strong> file. To simplify troubleshooting, we recommend asking our <strong><a href=\"\/blog\/vps-ai-assistant\">VPS AI Assistant Kodee<\/a> <\/strong>for solutions.<\/p><p>Then, check Suricata rules to ensure they detect malicious traffic properly. The <a href=\"https:\/\/docs.suricata.io\/en\/latest\/quickstart.html#alerting\" target=\"_blank\" rel=\"noreferrer noopener\">Suricata quick start guide<\/a> recommends using ET Open rule number <strong>2100498<\/strong> and connecting to a test URL using the <strong>curl<\/strong> command:<\/p><pre class=\"wp-block-preformatted\">curl http:\/\/testmynids.org\/uid\/index.html<\/pre><p>The command will send an HTTP request to trigger the alert rule. Then, Suricata will generate log events in the <strong>eve.json<\/strong> and <strong>fast.log<\/strong> file about the detected traffic.<\/p><p>Check whether Suricata labels the HTTP request as potentially malicious traffic in the <strong>fast.log<\/strong> file. To do so, run the <strong>grep<\/strong> utility to filter the rule ID number:<\/p><pre class=\"wp-block-preformatted\">grep 2100498 \/var\/log\/suricata\/fast.log<\/pre><p>The output should show a log labeling the packet as &ldquo;<strong>Potentially Bad Traffic<\/strong>.&rdquo;<\/p><p>Since the<strong> eve <\/strong>log formats its entries as <strong>JSON<\/strong>, analyzing it requires the <strong>jq <\/strong>utility. Skip this step if you have installed the utility. Otherwise, run the following:<\/p><pre class=\"wp-block-preformatted\">sudo apt install jq<\/pre><p>Then, enter the following command to filter the log file entries based on the signature ID and alert type:<\/p><pre class=\"wp-block-preformatted\">jq 'select(.alert .signature_id==2100498)' \/var\/log\/suricata\/eve.json<\/pre><p>You should see the rule ID and the same &ldquo;<strong>Potentially Bad Traffic<\/strong>&rdquo; category. It means Suricata has matched your network traffic with the correct detection rule.<\/p><p>These logs are helpful for alert management and network security monitoring. For example, you can block suspicious traffic sources in <a href=\"\/tutorials\/how-to-configure-firewall-on-ubuntu-using-ufw\/\">Ubuntu&rsquo;s Uncomplicated Firewall<\/a> (UFW) or <strong>iptables<\/strong>.<\/p><h3 class=\"wp-block-heading\" id=\"h-8-update-suricata-rules\">8. Update Suricata rules<\/h3><p>Suricata detects suspicious packets using user-defined signatures or rules. It includes some by default, but they might be insufficient if your server receives traffic from many sources.<\/p><p>To add new rules, fetch additional rulesets from various third-party providers. While some of them are free, others might charge a subscription fee. To list them, run the following command:<\/p><pre class=\"wp-block-preformatted\">sudo suricata-update list-sources<\/pre><div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-prints-external-ruleset-providers-for-suricata.png\"><img decoding=\"async\" width=\"961\" height=\"417\" src=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-prints-external-ruleset-providers-for-suricata.png\/public\" alt=\"Terminal prints external ruleset providers for Suricata\" class=\"wp-image-101644\" srcset=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-prints-external-ruleset-providers-for-suricata.png\/w=961,fit=scale-down 961w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-prints-external-ruleset-providers-for-suricata.png\/w=300,fit=scale-down 300w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-prints-external-ruleset-providers-for-suricata.png\/w=150,fit=scale-down 150w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-prints-external-ruleset-providers-for-suricata.png\/w=768,fit=scale-down 768w\" sizes=\"(max-width: 961px) 100vw, 961px\" \/><\/a><\/figure><\/div><p>You will see the providers&rsquo; vendors, summaries, licenses, and subscription information. To import a ruleset, run the following command:<\/p><pre class=\"wp-block-preformatted\">sudo suricata-update enable-source provider-name<\/pre><p>Replace the <strong>provider-name <\/strong>placeholder with your desired ruleset source. For example, run this to retrieve <strong>sslbl\/ja3-fingerprints<\/strong>:<\/p><pre class=\"wp-block-preformatted\">sudo suricata-update enable-source sslbl\/ja3-fingerprints<\/pre><p>Then, rerun the<strong> suricata-update<\/strong> command to update and validate the rule files in the<strong> \/etc\/suricata\/rules<\/strong> directory. If you don&rsquo;t add an external source, updating Suricata will retrieve the default rules from <strong>ET OPEN<\/strong>.<\/p><p>After updating the default ET OPEN source, you will see that Suricata has processed inspecting <strong>packet payload signature<\/strong> and<strong> ip-only rules<\/strong>.<\/p><p>The update message should end with the tool cleaning up the signature grouping structure. If you are up-to-date, Terminal will print &ldquo;<strong>No changes detected, exiting<\/strong>.&rdquo;<\/p><div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><a href=\"\/tutorials\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-indicates-the-current-suricata-ruleset-is-up-to-date.png\"><img decoding=\"async\" width=\"1098\" height=\"46\" src=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-indicates-the-current-suricata-ruleset-is-up-to-date.png\/public\" alt=\"Terminal indicates that the current Suricata ruleset is up-to-date\" class=\"wp-image-101645\" srcset=\"https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-indicates-the-current-suricata-ruleset-is-up-to-date.png\/w=1098,fit=scale-down 1098w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-indicates-the-current-suricata-ruleset-is-up-to-date.png\/w=300,fit=scale-down 300w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-indicates-the-current-suricata-ruleset-is-up-to-date.png\/w=1024,fit=scale-down 1024w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-indicates-the-current-suricata-ruleset-is-up-to-date.png\/w=150,fit=scale-down 150w, https:\/\/imagedelivery.net\/LqiWLm-3MGbYHtFuUbcBtA\/wp-content\/uploads\/sites\/2\/2024\/01\/terminal-indicates-the-current-suricata-ruleset-is-up-to-date.png\/w=768,fit=scale-down 768w\" sizes=\"(max-width: 1098px) 100vw, 1098px\" \/><\/a><\/figure><\/div><p>We recommend running the Suricata update tool regularly to ensure your system receives the latest rule. Enforcing the newest detection method helps maintain optimal Ubuntu server security.<\/p><p>Optionally, use Suricata rules management tools like <a href=\"https:\/\/github.com\/shirkdog\/pulledpork\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Pulledpork<\/strong><\/a><strong> <\/strong>and <a href=\"https:\/\/oinkmaster.sourceforge.net\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>Oinkmaster<\/strong><\/a><strong> <\/strong>to fine-tune the detection method. Use <strong>nano<\/strong> to modify the file:<\/p><pre class=\"wp-block-preformatted\">sudo nano \/etc\/suricata\/rules\/rule_name.rules<\/pre><p>The Suricata rule syntax is as follows:<\/p><pre class=\"wp-block-preformatted\">action protocol source-ip\/port -&gt; destination-ip\/port (options; options; ... )<\/pre><p>Here are what each parameter means and its accepted values:<\/p><ul class=\"wp-block-list\">\n<li><strong>action<\/strong>. The action to take when the rule condition is met. Possible values include <strong>drop<\/strong>, <strong>alert<\/strong>, and <strong>log<\/strong>.<\/li>\n\n\n\n<li><strong>protocol<\/strong>. The monitored network protocol, including <strong>TCP<\/strong>, <strong>UDP<\/strong>, <strong>ICMP<\/strong>, or <strong>IP<\/strong>.<\/li>\n\n\n\n<li><strong>source-ip\/port<\/strong>. The <strong>IP<\/strong> and <strong>port<\/strong> from which the traffic originates.<\/li>\n\n\n\n<li><strong>destination-ip\/port<\/strong>. The <strong>IP<\/strong> and <strong>port<\/strong> on which the rule applies.<\/li>\n\n\n\n<li><strong>(options; options; &hellip;)<\/strong>. Keywords determining additional settings or conditions.<\/li>\n<\/ul><p>To learn more about these parameters and possible options, check out the <a href=\"https:\/\/docs.suricata.io\/en\/latest\/rules\/intro.html\" target=\"_blank\" rel=\"noreferrer noopener\">Suricata rules documentation<\/a>.&nbsp;<\/p><h2 class=\"wp-block-heading\" id=\"h-conclusion\">Conclusion<\/h2><p>Suricata is an open-source IDS and IPS system that helps prevent malicious traffic from infiltrating your server to improve your system security. It works by detecting and dropping suspicious traffic based on a rule.<\/p><p>In this article, we have explained the Suricata configuration on <strong>Ubuntu 22.04<\/strong> or later. After installing the distribution and gaining root access to your server via SSH, follow these steps:<\/p><ol class=\"wp-block-list\">\n<li><strong>Update Ubuntu packages<\/strong>. Run the <strong>apt update <\/strong>and <strong>apt upgrade<\/strong> command to install the latest version of all packages.<\/li>\n\n\n\n<li><strong>Install Suricata<\/strong>. Install the tool via APT or the OISF repository if you want the newest Suricata version.<\/li>\n\n\n\n<li><strong>Configure Suricata<\/strong>. Use a text editor like <strong>nano <\/strong>to edit the <strong>suricata.yaml <\/strong>file and tweak the default configuration.<\/li>\n\n\n\n<li><strong>Enable Network interfaces<\/strong>. Change the packet capture method and network interface parameter to enable Suricata to monitor your server&rsquo;s traffic.<\/li>\n\n\n\n<li><strong>Start Suricata<\/strong>. Run the <strong>systemctl<\/strong> command to start Suricata as a daemon.<\/li>\n\n\n\n<li><strong>Automate Suricata startup<\/strong>. Create a Suricata <strong>systemd <\/strong>service unit file and use <strong>systemctl <\/strong>to enable the tool during system startup.<\/li>\n\n\n\n<li><strong>Test Suricata functionality<\/strong>. Validate the Suricata configuration file using the built-in test feature and check the rules by sending a mock-up HTTP request.<\/li>\n\n\n\n<li><strong>Update Suricata rules<\/strong>. Run<strong> suricata-update<\/strong> with the <strong>enable-source<\/strong> flag to retrieve a ruleset from an external source. Update Suricata to apply and validate the new rules.<\/li>\n<\/ol><p>We hope this article helps you install the tool in your Ubuntu VPS. If you have any questions or encounter issues during the setup process, leave us a comment below.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) help prevent cyber criminals from infiltrating your server. These network security [&#8230;]<\/p>\n<p><a class=\"btn btn-secondary understrap-read-more-link\" href=\"\/tutorials\/how-to-install-suricata-on-ubuntu\">Read More&#8230;<\/a><\/p>\n","protected":false},"author":337,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"rank_math_title":"How to Install Suricata on Ubuntu in %currentyear%","rank_math_description":"Learn how to install Suricata on Ubuntu: 1. Update Ubuntu packages 2. Install Suricata 3. Configure Suricata 4. Enable Network Interfaces + more.","rank_math_focus_keyword":"how to install suricata on ubuntu","footnotes":""},"categories":[22648,22644],"tags":[],"class_list":["post-101639","post","type-post","status-publish","format-standard","hentry","category-managing-monitoring-and-security","category-vps"],"hreflangs":[{"locale":"en-US","link":"https:\/\/www.hostinger.com\/tutorials\/how-to-install-suricata-on-ubuntu","default":0},{"locale":"fr-FR","link":"https:\/\/www.hostinger.com\/fr\/tutoriels\/comment-installer-suricata-sur-ubuntu","default":0},{"locale":"es-ES","link":"https:\/\/www.hostinger.com\/es\/tutoriales\/como-instalar-suricata-en-ubuntu","default":0},{"locale":"id-ID","link":"https:\/\/www.hostinger.com\/id\/tutorial\/cara-instal-suricata-ubuntu","default":0},{"locale":"en-UK","link":"https:\/\/www.hostinger.com\/uk\/tutorials\/how-to-install-suricata-on-ubuntu","default":0},{"locale":"en-MY","link":"https:\/\/www.hostinger.com\/my\/tutorials\/how-to-install-suricata-on-ubuntu","default":0},{"locale":"en-PH","link":"https:\/\/www.hostinger.com\/ph\/tutorials\/how-to-install-suricata-on-ubuntu","default":0},{"locale":"es-MX","link":"https:\/\/www.hostinger.com\/mx\/tutoriales\/como-instalar-suricata-en-ubuntu","default":0},{"locale":"es-CO","link":"https:\/\/www.hostinger.com\/co\/tutoriales\/como-instalar-suricata-en-ubuntu","default":0},{"locale":"es-AR","link":"https:\/\/www.hostinger.com\/ar\/tutoriales\/como-instalar-suricata-en-ubuntu","default":0},{"locale":"en-IN","link":"https:\/\/www.hostinger.com\/in\/tutorials\/how-to-install-suricata-on-ubuntu","default":0},{"locale":"en-CA","link":"https:\/\/www.hostinger.com\/ca\/tutorials\/how-to-install-suricata-on-ubuntu","default":0},{"locale":"en-AU","link":"https:\/\/www.hostinger.com\/au\/tutorials\/how-to-install-suricata-on-ubuntu","default":0},{"locale":"en-NG","link":"https:\/\/www.hostinger.com\/ng\/tutorials\/how-to-install-suricata-on-ubuntu","default":0}],"_links":{"self":[{"href":"https:\/\/www.hostinger.com\/tutorials\/wp-json\/wp\/v2\/posts\/101639","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.hostinger.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hostinger.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hostinger.com\/tutorials\/wp-json\/wp\/v2\/users\/337"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hostinger.com\/tutorials\/wp-json\/wp\/v2\/comments?post=101639"}],"version-history":[{"count":6,"href":"https:\/\/www.hostinger.com\/tutorials\/wp-json\/wp\/v2\/posts\/101639\/revisions"}],"predecessor-version":[{"id":125926,"href":"https:\/\/www.hostinger.com\/tutorials\/wp-json\/wp\/v2\/posts\/101639\/revisions\/125926"}],"wp:attachment":[{"href":"https:\/\/www.hostinger.com\/tutorials\/wp-json\/wp\/v2\/media?parent=101639"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hostinger.com\/tutorials\/wp-json\/wp\/v2\/categories?post=101639"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hostinger.com\/tutorials\/wp-json\/wp\/v2\/tags?post=101639"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}