In this tutorial, we will show you how to install Suricata on CentOS 8. For those of you who didn’t know, Suricata is a free and open-source, mature, fast, and robust network threat detection engine. It can function as an intrusion detection (IDS) engine, inline intrusion prevention system (IPS), network security monitoring (NSM) as well as an offline pcap processing tool. Suricata inspects the network traffic using powerful and extensive rules and signature language and has powerful Lua scripting support for the detection of complex threats.
This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘sudo‘ to the commands to get root privileges. I will show you the step-by-step installation of Suricata on a CentOS 8.
Prerequisites
- A server running one of the following operating systems: CentOS 8.
- It’s recommended that you use a fresh OS install to prevent any potential issues.
- SSH access to the server (or just open Terminal if you’re on a desktop).
- A
non-root sudo useror access to theroot user. We recommend acting as anon-root sudo user, however, as you can harm your system if you’re not careful when acting as the root.
Install Suricata on CentOS 8
Step 1. First, let’s start by ensuring your system is up-to-date.
sudo dnf clean all sudo dnf install epel-release sudo dnf update
Step 2. Installing Required Build tools and Dependencies.
Install package dependencies and build tools required:
sudo dnf config-manager --set-enabled PowerTools sudo dnf install diffutils file-devel gcc jansson-devel make nss-devel libyaml-devel libcap-ng-devel libpcap-devel pcre-devel python3 python3-pyyaml rust-toolset zlib-devel curl wget tar lua lua-devel lz4-devel
Step 3. Installing Suricata on CentOS 8.
Suricata is packaged in the EPEL repository and can be installed with the following commands:
sudo dnf install suricata
Once the installation is complete enable and start the Suricata service:
sudo systemctl start suricata sudo systemctl enable suricata
Step 4. Configuration Suricata.
The configuration file is located at /etc/suricata/suricata.yaml. By default the Emerging Threats Open ruleset will be used until another rule source is configured. To update your rules, run the following command below:
suricata-update
Step 5. Configure Firewall.
- IPS Mode with NFQUEUE – Single Host
If you would like to use IPS mode for protecting the host that Suricata is running on, a few direct rules must be added to firewalld:
firewall-cmd --permanent --direct --add-rule \
ipv4 filter INPUT 0 -j NFQUEUE
firewall-cmd --permanent --direct --add-rule \
ipv4 filter OUTPUT 0 -j NFQUEUE
- IPS Mode with NFQUEUE – NAT/Router Mode
To protect machines behind the Suricata host in the case where it’s acting like a router, a single direct the rule must be added to firewalld.
firewall-cmd --permanent --direct --add-rule \
ipv4 filter FORWARD 0 -j NFQUEUE
Congratulations! You have successfully installed Suricata. Thanks for using this tutorial for installing the Suricata in the CentOS 8 system. For additional help or useful information, we recommend you to check the official Suricata website.
