How To Install Suricata on Manjaro

Network security has become a critical concern for system administrators, security professionals, and tech enthusiasts managing Linux-based infrastructures. Protecting your network from intrusions, malware, and unauthorized access requires robust monitoring tools that can detect and prevent threats in real-time. Suricata stands out as a powerful, open-source network intrusion detection and prevention system that delivers enterprise-grade security capabilities without the hefty price tag of commercial solutions.

This comprehensive guide walks you through installing Suricata on Manjaro Linux, an Arch-based distribution known for its user-friendly interface and rolling release model. You’ll learn how to install Suricata using the Arch User Repository (AUR), configure essential settings, manage detection rules, and test your installation to ensure optimal network protection. Whether you’re securing a home lab or deploying network monitoring for production environments, this tutorial provides the detailed steps needed to get Suricata running efficiently on your Manjaro system.

What is Suricata?

Suricata is an open-source network security engine developed and maintained by the Open Information Security Foundation (OISF). Unlike traditional intrusion detection systems, Suricata functions as a versatile security solution capable of operating as an Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring (NSM) engine simultaneously.

The software distinguishes itself through its multi-threaded architecture, which leverages modern multi-core processors to analyze network traffic at wire speed. While older solutions like Snort operate on a single thread, Suricata distributes processing across multiple CPU cores, dramatically improving performance in high-traffic environments. This architectural advantage makes it ideal for networks ranging from small home setups to enterprise-level deployments.

Suricata performs protocol-aware inspection of network traffic, understanding application-layer protocols including HTTP, TLS, DNS, SMB, FTP, and many others. This deep packet inspection capability allows it to detect sophisticated threats that might bypass simpler network monitoring tools. The engine also supports both Suricata-native rules and Snort rules, providing access to extensive community-developed threat signatures.

One of Suricata’s most valuable features is its rich JSON logging format called EVE (Extensible Event Format). This structured logging approach enables seamless integration with Security Information and Event Management (SIEM) systems like Splunk, the ELK Stack (Elasticsearch, Logstash, Kibana), and Wazuh. Security teams can aggregate, analyze, and visualize security events across their entire infrastructure, creating a comprehensive security monitoring ecosystem.

Why Choose Suricata for Manjaro?

Manjaro users benefit from several advantages when deploying Suricata for network security monitoring. The Arch-based nature of Manjaro ensures excellent compatibility with Suricata packages available through the Arch User Repository, providing access to relatively current versions of the software without complex compilation procedures.

Performance represents a significant consideration when selecting intrusion detection software. Suricata’s multi-threaded design maximizes the capabilities of modern processors, making it particularly effective on systems with multiple CPU cores. The rolling release model of Manjaro means you’re running recent kernel versions and system libraries, which complement Suricata’s performance optimization features.

Resource consumption remains reasonable compared to commercial security appliances. Suricata operates efficiently on modest hardware, though performance scales impressively when provided with additional resources. This flexibility allows deployment across various scenarios, from Raspberry Pi network monitors to dedicated security servers processing gigabits of traffic.

The active development community surrounding both Suricata and Arch Linux ensures regular updates, security patches, and feature enhancements. Documentation, forum discussions, and community support provide valuable resources when troubleshooting issues or implementing advanced configurations. This ecosystem support proves invaluable for both beginners taking their first steps in network security and experienced administrators deploying sophisticated security architectures.

Prerequisites Before Installation

Before proceeding with the Suricata installation on your Manjaro system, ensure you meet several technical requirements and have the necessary access permissions.

Your system should have at least 2GB of RAM, though 4GB or more is recommended for production environments or networks with substantial traffic volumes. Suricata’s multi-threaded architecture performs best on multi-core processors, so systems with dual-core or better CPUs will deliver optimal performance. Ensure adequate disk space is available, with at least 10GB recommended for log storage, though actual requirements vary based on your network traffic volume and log retention policies.

You’ll need sudo or root access to install packages, modify system configurations, and manage systemd services. Basic command-line proficiency is essential, as most Suricata configuration and management occurs through terminal commands. Familiarity with systemd service management helps when starting, stopping, and troubleshooting the Suricata daemon.

Network configuration knowledge proves crucial for effective deployment. Use the ip a command to identify your network interfaces and determine which interface Suricata should monitor. Understanding your network topology, including the IP address ranges of systems you’re protecting, helps configure the HOME_NET variable correctly in Suricata’s configuration file.

Before installation, update your Manjaro system to ensure all packages are current. Run sudo pacman -Syu to synchronize package databases and upgrade installed software. This step prevents potential conflicts between outdated system libraries and Suricata’s dependencies.

Installing Suricata on Manjaro

Manjaro users have multiple installation methods available, with the Arch User Repository (AUR) providing the most straightforward approach for most users.

Method 1: Installing from AUR

The AUR offers community-maintained packages for software not included in official Arch repositories. Installing Suricata from the AUR requires an AUR helper like yay or paru, or you can build the package manually.

First, ensure your system has the necessary build tools. If you haven’t installed base-devel and git, run:

sudo pacman -S --needed base-devel git

Using yay (Recommended):

If you don’t have yay installed, set it up first:

cd /tmp
git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -si

Once yay is available, search for Suricata packages:

yay -Ss suricata

This command displays available Suricata packages in the AUR. Install the stable version:

yay -S suricata

The yay helper automatically resolves dependencies, downloads the build files, and compiles the package. You’ll be prompted to review the PKGBUILD file before proceeding—take a moment to verify it looks legitimate. Confirm the installation when prompted, and yay handles the compilation and installation process.

Using paru (Alternative):

Paru serves as another excellent AUR helper with similar functionality:

paru -S suricata

Paru offers enhanced security features and a user interface similar to pacman, making it comfortable for users familiar with Arch’s official package manager.

Manual AUR Installation:

For users who prefer manual control over the build process, clone the Suricata AUR repository directly:

cd ~/Downloads
git clone https://aur.archlinux.org/suricata.git
cd suricata

Review the PKGBUILD file to understand what the build script does:

cat PKGBUILD

Build and install the package:

makepkg -si

The -s flag installs dependencies automatically, while -i installs the built package once compilation completes. This manual approach provides complete transparency about what’s being installed on your system.

Method 2: Building from Source (Optional)

Advanced users seeking the latest development features or requiring custom compilation options might prefer building Suricata from source code.

Install the comprehensive list of build dependencies:

sudo pacman -S gcc make libpcap libnet libyaml pcre2 libnfnetlink libnetfilter_queue jansson file rust cargo

Download the latest Suricata source code from the official website:

cd ~/Downloads
wget https://www.openinfosecfoundation.org/download/suricata-7.0.7.tar.gz
tar -xzf suricata-7.0.7.tar.gz
cd suricata-7.0.7

Configure the build with appropriate paths for Manjaro:

./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-rust

Compile the source code (this takes several minutes):

make

Install Suricata and its configuration files:

sudo make install-full

Building from source provides access to cutting-edge features but requires more maintenance, as you’ll need to manually track updates and rebuild when new versions are released. Most users find the AUR installation method strikes the best balance between currency and convenience.

Initial Configuration

Proper configuration determines Suricata’s effectiveness in detecting network threats. The main configuration file uses YAML formatting, which is human-readable but syntax-sensitive.

Understanding the Configuration File

Suricata’s primary configuration file resides at /etc/suricata/suricata.yaml. Before making any changes, create a backup:

sudo cp /etc/suricata/suricata.yaml /etc/suricata/suricata.yaml.backup

This backup proves invaluable if configuration errors prevent Suricata from starting. YAML syntax is straightforward but unforgiving—indentation matters, and tabs aren’t allowed. Use spaces for indentation, and maintain consistent spacing throughout the file.

Open the configuration file with your preferred text editor:

sudo nano /etc/suricata/suricata.yaml

The configuration file contains multiple sections including variable definitions, output settings, application-layer protocol parsers, and performance tuning options. Don’t feel overwhelmed by its length—you only need to modify a few critical settings for basic operation.

Essential Configuration Settings

Configure HOME_NET Variable:

The HOME_NET variable defines the IP address ranges Suricata considers as your internal network. Locate the vars section near the top of the configuration file and set your network range:

vars:
  address-groups:
    HOME_NET: "[192.168.1.0/24]"
    EXTERNAL_NET: "!$HOME_NET"

Replace 192.168.1.0/24 with your actual network range. For multiple subnets, use comma-separated values:

HOME_NET: "[192.168.1.0/24,10.0.0.0/8]"

Accurate HOME_NET configuration ensures Suricata correctly identifies traffic direction and reduces false positives.

Set Default Log Directory:

Verify the log directory configuration in the default-log-dir setting:

default-log-dir: /var/log/suricata/

Ensure this directory exists and has appropriate permissions:

sudo mkdir -p /var/log/suricata
sudo chown suricata:suricata /var/log/suricata

Configure Network Interface:

Find the af-packet section in the configuration file. This section controls which network interface Suricata monitors. First, identify your interface name:

ip a

Common interface names include eth0, enp3s0, wlan0, or similar. In the configuration file, locate and modify:

af-packet:
  - interface: eth0
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes

Replace eth0 with your actual interface name. The cluster settings optimize multi-threaded performance.

Configure Rule Paths:

Suricata needs to know where to find its detection rules. Locate the default-rule-path and rule-files sections:

default-rule-path: /var/lib/suricata/rules
rule-files:
  - suricata.rules

These paths will contain rules after running suricata-update, covered in the next section.

Set Host OS Policy:

Configuring the correct operating system policy helps Suricata make accurate assumptions about network behavior:

host-os-policy:
  policy: linux

Enable Community ID:

Community ID creates consistent flow identifiers that facilitate correlation with other security tools:

outputs:
  - eve-log:
      enabled: yes
      community-id: true

This setting adds Community ID hashes to JSON logs, enabling cross-tool correlation in security operations centers.

Rule Management with Suricata-Update

Suricata’s detection capabilities depend on regularly updated rule sets that identify known attack patterns, malware signatures, and suspicious network behaviors.

Installing and Configuring Suricata-Update

Suricata-update typically installs automatically with Suricata. Verify its availability:

suricata-update --version

If the command isn’t found, install it using pip:

sudo pacman -S python-pip
sudo pip install --upgrade suricata-update

Downloading Initial Ruleset

Run suricata-update for the first time to download the default Emerging Threats Open ruleset:

sudo suricata-update

This command performs several actions: it downloads the latest rule definitions, processes them for Suricata compatibility, and places them in /var/lib/suricata/rules/suricata.rules. The initial download may take a few minutes depending on your internet connection speed.

Suricata-update consolidates multiple rule files into a single suricata.rules file, simplifying management and ensuring your configuration remains clean. The tool intelligently handles rule conflicts and applies necessary modifications for optimal performance.

Managing Rule Sources

Suricata-update supports multiple rule sources beyond the default Emerging Threats Open set. View available sources:

sudo suricata-update list-sources

This command displays community-maintained rule sources, commercial options, and specialized rule sets targeting specific threats. Enable additional sources to enhance detection coverage:

sudo suricata-update enable-source tgreen/hunting
sudo suricata-update

Some rule sources require registration or subscriptions. Emerging Threats Pro, for example, offers commercial rules with faster updates and additional signatures, though it requires a paid license.

Schedule automatic rule updates using a systemd timer or cron job. Create a cron entry:

sudo crontab -e

Add a line to update rules daily at 2 AM:

0 2 * * * /usr/bin/suricata-update && /usr/bin/systemctl reload suricata

Regular updates ensure Suricata can detect the latest threats as threat intelligence evolves.

Custom Rules (Brief Overview)

Organizations often need custom rules addressing specific security concerns unique to their environment. Create custom rule files in /etc/suricata/rules/:

sudo mkdir -p /etc/suricata/rules
sudo nano /etc/suricata/rules/custom.rules

Add this custom rule file to your suricata.yaml configuration:

rule-files:
  - suricata.rules
  - custom.rules

Basic Suricata rule syntax follows this pattern:

alert tcp any any -> $HOME_NET 22 (msg:"SSH Connection Attempt"; sid:1000001; rev:1;)

The official Suricata documentation provides comprehensive guidance on rule writing syntax, keywords, and best practices for creating effective detection signatures.

Starting and Testing Suricata

With configuration complete and rules downloaded, you’re ready to start Suricata and verify it’s functioning correctly.

Manual Startup

Before enabling Suricata as a system service, test the configuration syntax to catch any errors:

sudo suricata -T -c /etc/suricata/suricata.yaml -v

The -T flag tells Suricata to test the configuration without actually starting. The -v flag provides verbose output, showing detailed information about what Suricata is loading. Watch for error messages—common issues include YAML indentation errors, missing rule files, or incorrect interface names.

If the configuration test passes, manually start Suricata to observe its initial behavior:

sudo suricata -c /etc/suricata/suricata.yaml -i eth0 -v

Replace eth0 with your interface name. Suricata runs in the foreground, displaying startup messages and statistics. Watch for messages indicating successful initialization, rule loading, and thread startup. Press Ctrl+C to stop the manual instance once you’ve verified it starts correctly.

Configuring Systemd Service

For permanent deployment, enable Suricata as a systemd service that starts automatically at boot.

Check the service status:

sudo systemctl status suricata.service

Start the Suricata service:

sudo systemctl start suricata.service

Enable automatic startup at boot time:

sudo systemctl enable suricata.service

After making configuration changes, restart the service:

sudo systemctl restart suricata.service

Monitor service logs in real-time using journalctl:

sudo journalctl -u suricata.service -f

This command displays log messages as Suricata generates them, useful for troubleshooting or monitoring system behavior. Press Ctrl+C to stop following logs.

Testing Detection Capabilities

Verify Suricata is actively monitoring traffic and generating alerts using a harmless test:

curl http://testmynids.org/uid/index.html

This command triggers a test signature in Suricata’s rule set. Check the fast.log file for the alert:

sudo tail -f /var/log/suricata/fast.log

You should see an alert indicating Suricata detected the test pattern. If no alert appears, check that Suricata is running, monitoring the correct interface, and has loaded rules successfully.

Additional testing methods include running nmap scans against your system from another machine or using network testing tools like hping3 to generate specific traffic patterns. Always conduct testing ethically and only on networks you own or have explicit permission to test.

Monitoring Suricata Logs

Suricata generates comprehensive logs that provide visibility into network activity and detected threats.

Log File Locations

Navigate to the default log directory:

cd /var/log/suricata/
ls -lh

Key log files include:

eve.json – The primary structured log file containing detailed event information in JSON format. This file is the most valuable for analysis and SIEM integration.

fast.log – A simple, human-readable alert log showing basic information about detected threats. Useful for quick checks but lacks the detail of EVE logs.

stats.log – Performance statistics including packet capture rates, dropped packets, memory usage, and thread performance metrics.

suricata.log – The main application log containing startup messages, errors, warnings, and operational information about Suricata itself.

Analyzing EVE JSON Logs

The EVE JSON format provides structured, machine-readable logs ideal for automated analysis. Install jq for convenient JSON parsing:

sudo pacman -S jq

View formatted alerts in real-time:

sudo tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'

This command filters only alert events and displays them in readable JSON format. Extract specific fields like source IP addresses from alerts:

sudo cat /var/log/suricata/eve.json | jq 'select(.event_type=="alert") | .src_ip' | sort | uniq -c | sort -rn

This pipeline identifies which source IP addresses have generated the most alerts, helping prioritize investigation efforts.

Query DNS events to see domain resolution activity:

sudo tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="dns")'

The flexibility of JSON logging enables sophisticated analysis, automated response workflows, and integration with broader security infrastructure.

Log Rotation and Management

Suricata logs can grow rapidly in busy network environments. Implement log rotation to prevent disk space exhaustion. Create a logrotate configuration:

sudo nano /etc/logrotate.d/suricata

Add this configuration:

/var/log/suricata/*.log /var/log/suricata/*.json {
    daily
    rotate 7
    compress
    delaycompress
    missingok
    notifempty
    create 640 suricata suricata
    sharedscripts
    postrotate
        /bin/systemctl reload suricata.service > /dev/null 2>&1 || true
    endscript
}

This configuration rotates logs daily, keeps seven days of history, compresses old logs to save space, and reloads Suricata after rotation. Adjust the retention period based on your compliance requirements and available storage.

Troubleshooting Common Issues

Even with careful configuration, you might encounter issues when deploying Suricata.

Suricata Won’t Start

If Suricata fails to start, check the systemd logs for specific error messages:

sudo journalctl -u suricata.service -n 50

Common causes include:

Configuration syntax errors – YAML is indentation-sensitive. Verify spacing is consistent and no tabs are present. Run the configuration test again with verbose output to identify the problematic section.

Incorrect interface name – Ensure the interface specified in suricata.yaml exists on your system. Use ip a to verify the correct interface name.

Permission issues – Check that log directories exist and have appropriate ownership:

sudo chown -R suricata:suricata /var/log/suricata
sudo chmod 750 /var/log/suricata

Missing rule files – If Suricata can’t find specified rule files, run sudo suricata-update to download rules.

No Alerts Generated

If Suricata starts successfully but doesn’t generate expected alerts, several factors might be responsible.

Verify rules loaded successfully by checking suricata.log:

sudo grep "rules loaded" /var/log/suricata/suricata.log

This line shows how many rules Suricata successfully loaded. If the count is zero or unexpectedly low, rule loading failed.

Confirm network traffic is flowing through the monitored interface:

sudo tcpdump -i eth0 -c 10

This command captures ten packets to verify the interface is receiving traffic. If tcpdump shows no packets, the interface might be inactive or incorrectly specified.

Review rule actions—rules using the “pass” action won’t generate alerts. Check HOME_NET configuration matches your actual network topology. Mismatched network definitions can cause Suricata to ignore traffic it should monitor.

Performance Issues

High CPU usage or packet drops indicate performance problems requiring tuning.

CPU usage optimization:

Adjust the number of worker threads in suricata.yaml:

threading:
  set-cpu-affinity: no
  cpu-affinity:
  detect-thread-ratio: 1.0

Disable unused protocol parsers to reduce processing overhead. If you don’t need SMB inspection, for example, disable it in the configuration.

Memory consumption:

Monitor Suricata’s memory usage:

ps aux | grep suricata

Reduce stream memory settings if consumption is excessive:

stream:
  memcap: 128mb
  max-sessions: 262144

Packet drops:

Check packet drop statistics:

sudo suricata -c /etc/suricata/suricata.yaml -i eth0 --pfring-cluster-id=99 --pfring-cluster-type=cluster_flow

Packet drops indicate Suricata can’t keep pace with network traffic. Solutions include adding more CPU cores, reducing rule complexity, or upgrading hardware.

Security Best Practices

Implementing Suricata effectively requires following security best practices.

Run Suricata with minimal privileges. The installation typically creates a dedicated suricata user account, preventing potential attackers from leveraging Suricata’s network access for privilege escalation.

Schedule regular rule updates to maintain detection coverage against emerging threats. Daily updates strike a good balance between staying current and avoiding excessive update frequency:

0 3 * * * /usr/bin/suricata-update && /usr/bin/systemctl reload suricata

Integrate Suricata with Security Information and Event Management systems for centralized monitoring and correlation. The EVE JSON format facilitates integration with popular SIEM platforms including Splunk, ELK Stack, and Wazuh.

Configure alert thresholds to prevent alert fatigue. Excessive alerts desensitize operators to genuine threats. Tune rules to reduce false positives while maintaining detection effectiveness.

Test configuration changes thoroughly before deploying to production. Use a test environment or low-priority network segment to validate new rules and configuration modifications.

Keep your Manjaro system updated with latest security patches:

sudo pacman -Syu

Monitor Suricata’s own logs for anomalies or errors indicating potential issues with the monitoring infrastructure itself.

Start in IDS mode rather than IPS mode initially. IDS mode generates alerts without blocking traffic, allowing you to tune rules and understand normal network patterns before risking service disruptions. IPS mode requires careful rule tuning and should only be enabled after thorough testing, as overly aggressive rules might block legitimate traffic or SSH access to your servers.

Congratulations! You have successfully installed Suricata. Thanks for using this tutorial for installing Suricata open-source network analysis on your Manjaro Linux system. For additional help or useful information, we recommend you check the official Suricata website.