In this tutorial, we will show you how to install Suricata on CentOS 8. For those of you who didn’t know, Suricata is a free and open-source, mature, fast, and robust network threat detection engine. It can function as intrusion detection (IDS) engine, inline intrusion prevention system (IPS), network security monitoring (NSM) as well as an offline pcap processing tool. Suricata inspects the network traffic using powerful and extensive rules and signature language and has powerful Lua scripting support for the detection of complex threats.
This article assumes you have at least basic knowledge of Linux, know how to use the shell, and most importantly, you host your site on your own VPS. The installation is quite simple and assumes you are running in the root account, if not you may need to add ‘
sudo‘ to the commands to get root privileges. I will show you through the step-by-step installation of Suricata on a CentOS 8.
Install Suricata on CentOS 8
Step 1. First, let’s start by ensuring your system is up-to-date.
sudo dnf clean all sudo dnf install epel-release sudo dnf update
Step 2. Installing Required Build tools and Dependencies.
Install package dependencies and build tools required:
sudo dnf config-manager --set-enabled PowerTools sudo dnf install diffutils file-devel gcc jansson-devel make nss-devel libyaml-devel libcap-ng-devel libpcap-devel pcre-devel python3 python3-pyyaml rust-toolset zlib-devel curl wget tar lua lua-devel lz4-devel
Step 3. Installing Suricata on CentOS 8.
Suricata is packaged in the EPEL repository and can be installed with the following commands:
sudo dnf install suricata
Once the installation is complete enable and start the Suricata service:
sudo systemctl start suricata sudo systemctl enable suricata
Step 4. Configuration Suricata.
The configuration file is located at
/etc/suricata/suricata.yaml. By default the Emerging Threats Open ruleset will be used until another rule source is configured. To update your rules, run the following command below:
Step 5. Configure Firewall.
- IPS Mode with NFQUEUE – Single Host
If you would like to use IPS mode for protecting the host that Suricata is running on, a few
direct rules must be added to firewalld:
firewall-cmd --permanent --direct --add-rule \ ipv4 filter INPUT 0 -j NFQUEUE firewall-cmd --permanent --direct --add-rule \ ipv4 filter OUTPUT 0 -j NFQUEUE
- IPS Mode with NFQUEUE – NAT/Router Mode
To protect machines behind the Suricata host in the case where it’s acting like a router, a single
direct the rule must be added to firewalld.
firewall-cmd --permanent --direct --add-rule \ ipv4 filter FORWARD 0 -j NFQUEUE
Congratulations! You have successfully installed Suricata. Thanks for using this tutorial for installing the Suricata in the CentOS 8 system. For additional help or useful information, we recommend you to check the official Suricata website.