RHEL BasedRocky Linux

How To Install Suricata on Rocky Linux 10

r00t

Install Suricata on Rocky Linux 10

Network security monitoring has become crucial for organizations seeking to protect their digital infrastructure from evolving cyber threats. Suricata stands out as a powerful open-source network threat detection engine that combines intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) capabilities into a single, comprehensive solution. Rocky Linux 10, with its enterprise-grade stability and robust security features, provides an ideal foundation for deploying Suricata in production environments.

This comprehensive guide walks you through the complete process of installing and configuring Suricata on Rocky Linux 10. Whether you’re a network administrator, security professional, or system engineer, you’ll find detailed step-by-step instructions, troubleshooting tips, and best practices to successfully implement this critical security tool.

Understanding Suricata and Its Network Security Features

Core Functionality

Suricata operates as a multi-threaded network security engine designed to handle high-speed network traffic analysis and threat detection. Unlike traditional single-threaded security tools, Suricata leverages parallel processing capabilities to examine network packets in real-time without creating performance bottlenecks.

The engine performs deep packet inspection across multiple network protocols, identifying malicious activities, policy violations, and anomalous behavior patterns. Its signature-based detection system works alongside behavioral analysis to provide comprehensive threat coverage. Suricata’s multi-threading architecture enables it to process gigabits of network traffic while maintaining low latency and minimal system resource consumption.

The tool integrates seamlessly with existing security infrastructure, supporting various output formats and logging mechanisms. Security teams can configure custom alerting rules, generate detailed forensic reports, and maintain comprehensive audit trails for compliance requirements.

Advanced Technical Features

Suricata supports automatic protocol detection for IP, TCP, UDP, ICMP, HTTP, TLS, FTP, and SMB protocols, eliminating the need for manual port-based configuration. This intelligent protocol recognition ensures accurate traffic analysis regardless of non-standard port usage or protocol tunneling attempts.

The engine includes built-in Gzip decompression capabilities for analyzing compressed network traffic, particularly useful for HTTP and email security monitoring. Fast IP matching algorithms and GeoIP identification features enable rapid geolocation-based filtering and threat intelligence integration.

LuaJIT scripting support provides extensibility for custom detection logic and advanced rule processing. Security professionals can develop sophisticated detection algorithms, implement custom logging formats, and integrate with external threat intelligence platforms through Lua scripts.

File extraction and analysis capabilities allow Suricata to capture and examine files transmitted across the network, supporting malware detection and data loss prevention initiatives.

System Prerequisites and Hardware Requirements

Minimum Hardware Specifications

Rocky Linux 10 Suricata deployments require minimum 4GB RAM for optimal performance, though production environments typically benefit from 8GB or more depending on network traffic volume. The memory requirements scale with the number of concurrent connections and the complexity of detection rules.

Dual-core processors represent the absolute minimum, but multi-core systems with 4-8 cores significantly improve performance for high-throughput networks. Modern CPUs with hardware acceleration features like Intel’s DPDK or AMD’s equivalent technologies provide substantial performance improvements.

Storage requirements depend on log retention policies and network traffic volume. Allocate minimum 20GB for system files and logs, with additional capacity for long-term log storage and forensic analysis requirements.

Network interface considerations include dedicated monitoring ports for span/mirror traffic and management interfaces for administrative access. Gigabit Ethernet represents the minimum recommended speed for production deployments.

Software Dependencies and Prerequisites

Fresh Rocky Linux 10 installation provides the cleanest foundation for Suricata deployment. While upgrades from previous versions work, clean installations eliminate potential compatibility issues and ensure optimal performance.

Administrative privileges through root access or sudo capabilities are mandatory for installation and configuration procedures. The installation process modifies system files, installs kernel modules, and configures network interfaces.

Active internet connectivity enables package downloads, repository access, and rule set updates. Configure firewall rules to allow outbound HTTPS connections for package management and threat intelligence updates.

SSH access to the target server facilitates remote administration and troubleshooting. Ensure SSH key-based authentication for secure remote management.

Pre-Installation System Setup

Comprehensive System Updates

Begin with complete system package updates to ensure security patches and compatibility improvements are installed. Execute the following command sequence:

sudo dnf update -y
sudo dnf clean all
sudo dnf autoremove -y

The update process may require system reboot for kernel updates. Reboot immediately after kernel updates to ensure all changes take effect before proceeding with Suricata installation.

Monitor the update process for any error messages or package conflicts. Address any repository issues or dependency problems before continuing with the installation.

Repository Configuration and Management

Enable the EPEL (Extra Packages for Enterprise Linux) repository to access additional packages required for Suricata installation:

sudo dnf install epel-release -y
sudo dnf config-manager --set-enabled epel

Activate the CRB (CodeReady Builder) repository for development tools and libraries:

sudo dnf config-manager --set-enabled crb

Add the OISF (Open Information Security Foundation) repository for the latest Suricata versions:

sudo dnf install dnf-plugins-core -y
sudo dnf copr enable @oisf/suricata-7.0 -y

Verify repository configuration by listing available repositories:

sudo dnf repolist

Installing Essential Build Dependencies

Install compilation tools and development libraries required for source-based installation or custom rule compilation:

sudo dnf groupinstall "Development Tools" -y
sudo dnf install gcc gcc-c++ make cmake -y
sudo dnf install jansson-devel pcre2-devel -y
sudo dnf install libyaml-devel libcap-ng-devel -y
sudo dnf install libnet-devel libnfnetlink-devel libnetfilter_queue-devel -y

Install Python 3 and associated development packages:

sudo dnf install python3 python3-pip python3-devel -y
sudo dnf install python3-yaml python3-setuptools -y

Add Rust toolchain for modern Suricata features:

sudo dnf install rust cargo -y

Install Lua development libraries for scripting support:

sudo dnf install lua-devel luajit-devel -y

Suricata Installation Methods

Method 1: EPEL Repository Installation

Package-based installation offers simplicity and automatic dependency resolution. This method provides stable, tested versions suitable for most production environments.

Install Suricata directly from EPEL repository:

sudo dnf install suricata -y

Verify the installation and check version information:

suricata --version
suricata --build-info

Confirm installation paths and file locations:

which suricata
ls -la /etc/suricata/
ls -la /var/log/suricata/

The package installation automatically creates necessary user accounts, directory structures, and systemd service files. Default configuration files are installed in /etc/suricata/ with reasonable baseline settings.

Advantages include simplified maintenance, automatic security updates through the package manager, and tested compatibility with Rocky Linux 10. Limitations may include older versions compared to source installations and reduced customization options.

Method 2: Source Code Compilation

Source compilation provides access to cutting-edge features and enables performance optimizations specific to your hardware configuration. This method requires more technical expertise but offers maximum flexibility.

Download the latest Suricata source code:

cd /tmp
wget https://download.openinfosecfoundation.org/download/suricata-8.0.0.tar.gz
tar -xzf suricata-8.0.0.tar.gz
cd suricata-8.0.0

Configure the build with optimal feature set:

./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--enable-nfqueue --enable-lua --enable-geoip --enable-rust \
--enable-python --enable-hiredis --enable-unix-socket

Compile and install Suricata:

make -j$(nproc)
sudo make install-full

Create systemd service file for source installation:

sudo tee /etc/systemd/system/suricata.service << 'EOF'
[Unit]
Description=Suricata Intrusion Detection Service
After=syslog.target network-online.target

[Service]
Type=simple
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid
ExecReload=/bin/kill -USR2 $MAINPID
KillMode=mixed
KillSignal=SIGINT

[Install]
WantedBy=multi-user.target
EOF

Source installation benefits include latest security features, performance optimizations, and custom compilation flags. Drawbacks involve manual update management and increased maintenance complexity.

Initial Configuration and Network Setup

Configuration File Structure and Management

Suricata’s main configuration file /etc/suricata/suricata.yaml controls all operational parameters. Create a backup copy before making modifications:

sudo cp /etc/suricata/suricata.yaml /etc/suricata/suricata.yaml.backup

The YAML configuration format requires precise indentation and syntax. Use a text editor with YAML support to prevent formatting errors:

sudo vim /etc/suricata/suricata.yaml

Key configuration sections include:

  • Network interface definitions
  • Home network ranges
  • Rule set locations
  • Output module settings
  • Detection engine parameters
  • Performance tuning options

Network Interface Configuration

Identify available network interfaces using the ip command:

ip addr show
ip link show

Configure the monitoring interface in suricata.yaml. Locate the af-packet section and modify the interface setting:

af-packet:
  - interface: enp0s3
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes
    use-mmap: yes
    tpacket-v3: yes

Define your home network ranges to optimize detection accuracy:

vars:
  address-groups:
    HOME_NET: "[192.168.1.0/24,10.0.0.0/8,172.16.0.0/12]"
    EXTERNAL_NET: "!$HOME_NET"

Configure DNS servers for accurate hostname resolution:

vars:
  address-groups:
    DNS_SERVERS: "[8.8.8.8,8.8.4.4,1.1.1.1]"

Security and Detection Settings

Enable comprehensive logging and output modules:

outputs:
  - fast:
      enabled: yes
      filename: fast.log
  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve.json
      types:
        - alert
        - http
        - dns
        - tls
        - files
        - smtp

Configure rule set locations and update settings:

default-rule-path: /etc/suricata/rules
rule-files:
  - suricata.rules
  - emerging-threats.rules

Set detection engine performance parameters:

detect:
  profile: medium
  custom-values:
    toclient-groups: 3
    toserver-groups: 25

Service Management and System Integration

Systemd Service Control

Enable Suricata to start automatically at boot:

sudo systemctl enable suricata

Start the Suricata service:

sudo systemctl start suricata

Check service status and health:

sudo systemctl status suricata
sudo systemctl is-active suricata
sudo systemctl is-enabled suricata

Monitor service logs for startup issues:

sudo journalctl -u suricata -f
sudo journalctl -u suricata --since "10 minutes ago"

Service Monitoring and Health Checks

Implement automated health monitoring using systemd watchdog capabilities:

sudo systemctl edit suricata

Add watchdog configuration:

[Service]
WatchdogSec=60
Restart=on-failure
RestartSec=10

Monitor system resource usage:

sudo top -p $(pgrep suricata)
sudo ps aux | grep suricata
sudo netstat -tulpn | grep suricata

Configure log rotation to prevent disk space exhaustion:

sudo tee /etc/logrotate.d/suricata << 'EOF'
/var/log/suricata/*.log {
    daily
    rotate 30
    compress
    delaycompress
    missingok
    notifempty
    sharedscripts
    postrotate
        /bin/kill -USR2 $(cat /var/run/suricata.pid 2>/dev/null) 2>/dev/null || true
    endscript
}
EOF

Rule Management and Threat Intelligence

Understanding Suricata Rule Structure

Suricata rules follow a specific syntax pattern for threat detection and response. Each rule contains an action, header, and options sections that define detection criteria and response behavior.

Basic rule anatomy:

action protocol src_ip src_port -> dst_ip dst_port (options)

Common rule actions include:

  • alert: Generate an alert when matched
  • pass: Allow traffic without alerting
  • drop: Block traffic and generate alert
  • reject: Send TCP reset or ICMP unreachable

Rule Set Management and Updates

Install suricata-update tool for automated rule management:

sudo pip3 install suricata-update
sudo mkdir -p /etc/suricata/rules

Initialize rule management configuration:

sudo suricata-update update-sources
sudo suricata-update list-sources

Download and install rule sets:

sudo suricata-update update
sudo suricata-update enable-source et/open
sudo suricata-update enable-source oisf/trafficid

Configure automatic rule updates via cron job:

sudo tee /etc/cron.daily/suricata-update << 'EOF'
#!/bin/bash
/usr/local/bin/suricata-update update && systemctl reload suricata
EOF

sudo chmod +x /etc/cron.daily/suricata-update

Custom Rule Development

Create custom rules directory:

sudo mkdir -p /etc/suricata/rules/custom

Develop organization-specific detection rules:

sudo tee /etc/suricata/rules/custom/local.rules << 'EOF'
# Custom SSH brute force detection
alert tcp any any -> $HOME_NET 22 (msg:"SSH Brute Force Attempt"; flow:to_server; content:"SSH"; depth:3; detection_filter:track by_src, count 5, seconds 60; sid:1000001; rev:1;)

# Custom DNS tunneling detection
alert dns any any -> any 53 (msg:"Potential DNS Tunneling"; dns_query; content:"|00|"; depth:1; byte_test:1,>,50,0; sid:1000002; rev:1;)
EOF

Include custom rules in main configuration:

rule-files:
  - suricata.rules
  - emerging-threats.rules
  - custom/local.rules

Testing and Performance Verification

Installation Verification Procedures

Validate configuration file syntax:

sudo suricata -T -c /etc/suricata/suricata.yaml

Test rule loading and compilation:

sudo suricata --init-errors-fatal -T -c /etc/suricata/suricata.yaml

Verify network interface detection:

sudo suricata --list-runmodes
sudo suricata --list-keywords

Generate test traffic for detection validation:

# Install test tools
sudo dnf install nmap tcpdump -y

# Generate test alerts
nmap -sS -O localhost
curl -H "User-Agent: test" http://testmyids.com

Performance Benchmarking and Optimization

Monitor real-time performance metrics:

sudo tail -f /var/log/suricata/stats.log
sudo suricata --dump-config | grep performance

Analyze memory and CPU utilization:

sudo pidstat -p $(pgrep suricata) 1 10
sudo vmstat 1 10
sudo iostat -x 1 10

Configure performance monitoring dashboard:

# Install monitoring tools
sudo dnf install htop iotop nethogs -y

# Monitor network performance
sudo iftop -i enp0s3
sudo nethogs enp0s3

Optimize detection engine performance:

# Suricata performance tuning
threading:
  set-cpu-affinity: yes
  cpu-affinity:
    - management-cpu-set:
        cpu: [ 0 ]
    - receive-cpu-set:
        cpu: [ 0 ]
    - worker-cpu-set:
        cpu: [ 1, 2, 3 ]

# Memory optimization
runmode: workers

Advanced Configuration and Integration

Multi-Threading and Performance Tuning

Configure worker thread allocation based on CPU cores:

threading:
  set-cpu-affinity: yes
  cpu-affinity:
    - management-cpu-set:
        cpu: [ 0 ]
    - receive-cpu-set:
        cpu: [ 1 ]
    - worker-cpu-set:
        cpu: [ 2, 3, 4, 5 ]
    - verdict-cpu-set:
        cpu: [ 0 ]

Optimize memory allocation and buffer sizes:

# Memory and buffer optimization
max-pending-packets: 65535
runmode: workers

# Packet capture optimization
af-packet:
  - interface: enp0s3
    cluster-id: 99
    cluster-type: cluster_flow
    defrag: yes
    use-mmap: yes
    mmap-locked: yes
    tpacket-v3: yes
    ring-size: 2048
    block-size: 32768

Integration with Security Infrastructure

Configure syslog forwarding for SIEM integration:

outputs:
  - syslog:
      enabled: yes
      facility: local0
      level: Info
      identity: suricata

Setup JSON output for log analysis platforms:

outputs:
  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve.json
      community-id: true
      types:
        - alert:
            payload: yes
            packet: yes
            http-body: yes
        - http:
            extended: yes
        - dns:
            query: yes
            answer: yes
        - tls:
            extended: yes
        - files:
            force-magic: yes
            force-hash: [md5, sha1, sha256]

Configure remote logging and monitoring:

# Install rsyslog for remote logging
sudo dnf install rsyslog -y

# Configure remote syslog forwarding
sudo tee -a /etc/rsyslog.conf << 'EOF'
# Forward Suricata logs to remote server
local0.* @@siem-server.example.com:514
EOF

sudo systemctl restart rsyslog

Troubleshooting Common Installation Issues

Dependency Resolution Problems

Address missing development libraries:

# Common missing dependencies
sudo dnf install libpcap-devel libcap-ng-devel -y
sudo dnf install nss-devel nspr-devel -y
sudo dnf install file-devel zlib-devel -y

Resolve Python package conflicts:

# Fix Python dependency issues
sudo pip3 install --upgrade pip
sudo pip3 install pyyaml --upgrade
sudo alternatives --install /usr/bin/python python /usr/bin/python3 1

Handle repository access problems:

# Clear repository cache
sudo dnf clean all
sudo dnf makecache

# Verify repository GPG keys
sudo rpm --import https://fedoraproject.org/static/fedora.gpg

Configuration and Runtime Issues

Debug YAML syntax errors:

# Validate YAML syntax
python3 -c "import yaml; yaml.safe_load(open('/etc/suricata/suricata.yaml'))"

# Check configuration with verbose output
sudo suricata -T -c /etc/suricata/suricata.yaml -v

Resolve network interface problems:

# Check interface status
sudo ip link show
sudo ethtool enp0s3

# Verify interface permissions
sudo chmod +r /dev/net/tun
sudo usermod -a -G netdev suricata

Address permission and security context issues:

# Fix SELinux contexts
sudo setsebool -P httpd_can_network_connect 1
sudo restorecon -R /var/log/suricata/
sudo restorecon -R /etc/suricata/

# Verify file permissions
sudo chown -R suricata:suricata /var/log/suricata/
sudo chmod 755 /var/log/suricata/

Performance and Resource Problems

Diagnose high CPU usage:

# Analyze CPU utilization
sudo perf top -p $(pgrep suricata)
sudo strace -p $(pgrep suricata) -c

# Optimize thread configuration
sudo tuned-adm profile network-latency

Resolve memory exhaustion issues:

# Monitor memory usage
sudo cat /proc/$(pgrep suricata)/status | grep Vm
sudo pmap $(pgrep suricata)

# Configure memory limits
sudo systemctl edit suricata

Add memory limits:

[Service]
MemoryLimit=2G
MemoryAccounting=yes

Address log management problems:

# Monitor disk usage
sudo df -h /var/log/
sudo du -sh /var/log/suricata/*

# Implement log compression
sudo find /var/log/suricata/ -name "*.log" -mtime +1 -exec gzip {} \;

Security Best Practices and Hardening

System-Level Security Hardening

Implement principle of least privilege:

# Create dedicated Suricata user
sudo useradd -r -s /sbin/nologin -d /var/lib/suricata suricata

# Set restrictive file permissions
sudo chown -R suricata:suricata /etc/suricata/
sudo chmod 750 /etc/suricata/
sudo chmod 640 /etc/suricata/suricata.yaml

Configure firewall rules for management access:

# Install and configure firewalld
sudo dnf install firewalld -y
sudo systemctl enable --now firewalld

# Allow SSH access only from management networks
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" service name="ssh" accept'
sudo firewall-cmd --reload

Enable comprehensive audit logging:

# Configure auditd for security monitoring
sudo dnf install audit -y
sudo systemctl enable --now auditd

# Add Suricata-specific audit rules
sudo tee -a /etc/audit/rules.d/suricata.rules << 'EOF'
-w /etc/suricata/ -p wa -k suricata_config
-w /var/log/suricata/ -p wa -k suricata_logs
-w /usr/bin/suricata -p x -k suricata_exec
EOF

sudo service auditd restart

Monitoring and Maintenance Procedures

Implement automated health monitoring:

# Create health check script
sudo tee /usr/local/bin/suricata-health-check.sh << 'EOF'
#!/bin/bash
LOGFILE="/var/log/suricata-health.log"
DATE=$(date '+%Y-%m-%d %H:%M:%S')

# Check if Suricata is running
if ! systemctl is-active --quiet suricata; then
    echo "[$DATE] ERROR: Suricata service is not running" >> $LOGFILE
    systemctl restart suricata
fi

# Check log file growth
LAST_SIZE=$(stat -c%s /var/log/suricata/eve.json 2>/dev/null || echo 0)
sleep 60
CURRENT_SIZE=$(stat -c%s /var/log/suricata/eve.json 2>/dev/null || echo 0)

if [ $CURRENT_SIZE -eq $LAST_SIZE ]; then
    echo "[$DATE] WARNING: No new events detected in the last minute" >> $LOGFILE
fi

# Check disk space
DISK_USAGE=$(df /var/log/suricata/ | awk 'NR==2 {print $5}' | sed 's/%//')
if [ $DISK_USAGE -gt 80 ]; then
    echo "[$DATE] WARNING: Disk usage at ${DISK_USAGE}%" >> $LOGFILE
fi
EOF

sudo chmod +x /usr/local/bin/suricata-health-check.sh

Schedule regular maintenance tasks:

# Create maintenance cron job
sudo tee /etc/cron.d/suricata-maintenance << 'EOF'
# Suricata maintenance tasks
0 2 * * * root /usr/local/bin/suricata-health-check.sh
0 3 * * 0 root /usr/local/bin/suricata-update update && systemctl reload suricata
0 4 * * * root find /var/log/suricata/ -name "*.log.*" -mtime +30 -delete
EOF

Configure centralized log management:

# Install and configure logrotate
sudo tee /etc/logrotate.d/suricata << 'EOF'
/var/log/suricata/*.log /var/log/suricata/*.json {
    daily
    rotate 30
    compress
    delaycompress
    missingok
    notifempty
    create 644 suricata suricata
    sharedscripts
    postrotate
        /bin/kill -USR2 $(cat /var/run/suricata.pid 2>/dev/null) 2>/dev/null || true
    endscript
}
EOF

Congratulations! You have successfully installed Suricata. Thanks for using this tutorial for installing Suricata on your Rocky Linux 10 system. For additional help or useful information, we recommend you check the official Suricata website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2025 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button