How to Install Suricata IDS on Ubuntu 24.04 Server
Suricata is an open-source intrusion detection system (IDS) that provides real-time network traffic analysis and monitoring. This guide will show you how to install Suricata IDS on Ubuntu 24.04 Server.
Step 1: Update Your System
- Before installing Suricata, update your package list and upgrade all existing packages:
sudo apt update && sudo apt upgrade -y
Step 2: Add the Suricata PPA Repository
- To install the latest version of Suricata, add the official Suricata PPA repository:
sudo add-apt-repository ppa:oisf/suricata-stable sudo apt update
Step 3: Install Suricata
- Install Suricata using the following command:
sudo apt install suricata -y
Once the installation is complete, you can check the Suricata version to verify it was installed correctly:
suricata --build-info
Step 4: Configure Suricata
- The main configuration file for Suricata is located at
/etc/suricata/suricata.yaml
. Open the file using a text editor:
sudo nano /etc/suricata/suricata.yaml
In this file, you can configure various aspects of Suricata, including the network interfaces it will monitor. By default, Suricata is configured to monitor the primary network interface. Modify the network interface settings as needed.
Step 5: Download and Configure Rule Sets
- Suricata uses rules to detect suspicious traffic. You can download rule sets from the Emerging Threats rules repository. Use the following command to install the Suricata-Update tool for managing rule sets:
sudo apt install suricata-update -y
Once installed, update the rules by running:
sudo suricata-update
This will download and apply the latest rule sets from the default Emerging Threats rules repository.
Step 6: Enable and Start Suricata
- To ensure that Suricata starts on boot and monitors traffic, enable the Suricata service:
sudo systemctl enable suricata
Now, start the Suricata service:
sudo systemctl start suricata
Verify that Suricata is running and monitoring your network by checking its status:
sudo systemctl status suricata
Step 7: Monitor Suricata Logs
- Suricata logs its alerts and activities in various log files, which are typically stored in the
/var/log/suricata/
directory. To view the logs, use the following command:
sudo tail -f /var/log/suricata/fast.log
This command will display the latest logs generated by Suricata, helping you monitor any potential security threats detected by the IDS.
Step 8: Fine-Tuning and Optimizing
- After installation, you can fine-tune Suricata by adjusting rules, logging, and performance settings in the
suricata.yaml
configuration file based on your network needs. You can also add more rule sets from other providers if necessary.
Conclusion
You've successfully installed and configured Suricata IDS on Ubuntu 24.04. Suricata is now running and monitoring your network for any suspicious activities or intrusions. Continue to monitor and update the rule sets to keep your IDS effective.