Add the Suricata PPA
- First add the Suricata PPA and update the apt-cache (A PPA is a "Personal Package Archives" essentially it is a way for developers to upload their Ubuntu source packages to Launchpad.)
# apt-get install software-properties-common
# add-apt-repository ppa:oisf/suricata-stable
# apt-get update
Install Suricata
- Suricata's configuration and rulesets are located under '/etc/suricata'
- Suricata's binary is located at '/usr/bin/suricata'
- Suricata's logs are located at '/var/log/suricata'
# apt-get install suricata
Add a 'suricata' user
- When you run Suricata, you don't want to run it as root because if the Suricata daemon gets compromised, you don't want the attacker to have 'root' privileges, this is referred to as 'dropping privileges'
- We will add a user named 'suricata', this user will be a system account, with no shell, no password and no account expiration with the following 'useradd command:'
# useradd -r -s /usr/sbin/nologin suricata
# editor /etc/default/suricata
- Change the configuration file to look like this:
# Default config for Suricata
# set to yes to start the server in the init.d script
RUN=yes
# set to user that will run suricata in the init.d script (used for dropping privileges only)
RUN_AS_USER=suricata
# Configuration file to load
SURCONF=/etc/suricata/suricata.yaml
# Listen mode: pcap, nfqueue or af-packet
# depending on this value, only one of the two following options
# will be used (af-packet uses neither).
# Please note that IPS mode is only available when using nfqueue
LISTENMODE=pcap
# Interface to listen on (for pcap mode)
IFACE=eth0
# Queue number to listen on (for nfqueue mode)
NFQUEUE=0
# Load Google TCMALLOC if libtcmalloc-minimal0 is installed
# This _might_ give you very very small performance gain....
TCMALLOC="YES"
# Pid file
PIDFILE=/var/run/suricata.pid
Ensure that Suricata log directory is owned by 'suricata' user
# chown -R suricata:suricata /var/log/suricata
Start Suricata
# service suricata start
Verify that Suricata is running as the 'suricata' user
# ps aux | grep suricata
suricata 28296 107 59.9 366140 304160 ? Ssl 22:47 0:05 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i eth0 -D -v --user=suricata