Security
Suricata IDS/IPS Deployment Guide
Deploy and configure Suricata for network intrusion detection and prevention on your infrastructure
Suricata is a high-performance, open-source network Intrusion Detection System (IDS), Intrusion Prevention System (IPS), and Network Security Monitoring (NSM) engine. It features multi-threaded architecture, protocol analysis, and advanced threat detection capabilities.
What is Suricata
Suricata provides:
- IDS Mode: Passive network monitoring and threat detection
- IPS Mode: Active threat prevention with inline network filtering
- NSM: Full network flow and DNS logging
- Multi-threaded: Leverages modern multi-core systems
- Protocol Awareness: HTTP, TLS, DNS, SSH, SMB inspection
Installation
Ubuntu/Debian via OISF PPA
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update
sudo apt install -y suricata suricata-updateVerify Installation
suricata --version
suricatasc -hCore Configuration
Edit /etc/suricata/suricata.yaml:
Define Home Network
vars:
address-groups:
HOME_NET: "[192.168.1.0/24,192.168.2.0/24]"
EXTERNAL_NET: "!$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
HTTP_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"Configure Monitoring Interfaces
IDS Mode (AF_PACKET - Passive):
af-packet:
- interface: eth0
threads: auto
cluster-id: 99
cluster-type: cluster_round_robin
defrag: yes
use-mmap: yes
ring-size: 32768IPS Mode (NFQUEUE - Inline):
nfqueue:
- queue-num: 0
af-packet:
- interface: eth0
threads: autoConfigure Outputs
outputs:
- eve-log:
enabled: yes
filename: eve.json
types:
- alert:
payload: yes
payload-buffer-size: 4096
- http:
extended: yes
- dns:
enabled: yes
- tls:
enabled: yes
- ssh:
enabled: yes
- flow:
enabled: yes
- fast:
enabled: yes
filename: fast.logRule Management with suricata-update
Update and Install Rules
# Update Emerging Threats Open ruleset
sudo suricata-update update-sources
sudo suricata-update enable-source et/open
# Download rules
sudo suricata-update
# Reload Suricata (non-disruptive)
sudo suricatasc -c "reload-rules" /var/run/suricata/suricata.sockManage Rule Disables
Create /etc/suricata/disable.conf for false positive suppression:
# Suppress specific rule ID
05700xxx
2019428:*Run update:
sudo suricata-update
sudo suricatasc -c "reload-rules" /var/run/suricata/suricata.sockStarting and Monitoring
Run Suricata in IDS Mode
# Start service
sudo systemctl start suricata
sudo systemctl enable suricata
# Check status
sudo systemctl status suricataReal-time Log Monitoring
# Watch alerts
sudo tail -f /var/log/suricata/fast.log
# Monitor EVE JSON
sudo tail -f /var/log/suricata/eve.json | jq '.alert'EVE JSON Analysis
Parse with jq
# Extract all alerts
sudo jq 'select(.event_type=="alert")' /var/log/suricata/eve.json
# Top source IPs triggering alerts
sudo jq -r 'select(.event_type=="alert") | .src_ip' /var/log/suricata/eve.json | sort | uniq -c | sort -rn | head -10
# Extract HTTP requests
sudo jq 'select(.event_type=="http") | {timestamp, src_ip, dest_ip, method: .http.http_method, uri: .http.uri}' /var/log/suricata/eve.jsonIntegrate with Kibana/Grafana
Forward EVE JSON to Elasticsearch:
# Install logstash (example)
sudo apt install -y logstash
# Configure Logstash input/output for Suricata EVE
cat > /etc/logstash/conf.d/suricata.conf << 'EOF'
input {
file {
path => "/var/log/suricata/eve.json"
sincedb_path => "/var/lib/logstash/suricata.db"
codec => json
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "suricata-%{+YYYY.MM.dd}"
}
}
EOF
sudo systemctl restart logstashIPS Mode Configuration
IPS mode requires kernel support for NFQUEUE and proper iptables rules. Misconfiguration can break network connectivity.
Enable IPS in suricata.yaml
# Enable drop rules
detect-engine:
profile: high
sgh-mpm-context: auto
inspection-recursion-limit: 3000
# Configure IPS rules (in-place modifications)
ips:
enabled: yesConfigure iptables for NFQUEUE
# Route traffic to Suricata (NFQUEUE)
sudo iptables -I FORWARD -m conntrack --ctstate NEW -j NFQUEUE --queue-num 0 --queue-bypass
# Persist rules
sudo apt install -y iptables-persistent
sudo iptables-save > /etc/iptables/rules.v4
# Verify rules
sudo iptables -L -n -vActive Drop Rules
Update /etc/suricata/disable.conf to remove entries so rules are active:
sudo suricata-update
sudo suricatasc -c "reload-rules" /var/run/suricata/suricata.sockPerformance Tuning
AF_PACKET with multiple threads and CPU pinning delivers optimal throughput. Set threads to match available CPU cores.
Enable AF_PACKET Multi-threading
af-packet:
- interface: eth0
threads: 4 # Match CPU cores
cluster-id: 99
cluster-type: cluster_round_robin
use-mmap: yes
tpacket-v3: yes
ring-size: 65536CPU Affinity
# Check system
grep -c ^processor /proc/cpuinfo
# Pin threads via systemd override
sudo mkdir -p /etc/systemd/system/suricata.service.d
cat > /etc/systemd/system/suricata.service.d/cpu-affinity.conf << 'EOF'
[Service]
CPUAffinity=0-3
EOF
sudo systemctl daemon-reload
sudo systemctl restart suricataBypass Checks
af-packet:
- interface: eth0
bypass: yes # Hardware bypass when possibleMonitoring Health
Check Socket Status
# Live stats
sudo suricatasc -c "stats" /var/run/suricata/suricata.sock | tail -20
# Memory usage
sudo ps aux | grep suricataAlert Statistics
# Count alerts by signature
sudo jq -r 'select(.event_type=="alert") | .alert.signature' /var/log/suricata/eve.json | sort | uniq -c | sort -rn | head -20Troubleshooting
Rules Not Reloading
# Force rule reload
sudo suricatasc -c "reload-rules" /var/run/suricata/suricata.sock
# Check rule syntax
sudo suricata -c /etc/suricata/suricata.yaml -THigh CPU Usage
- Reduce rule count with disable.conf
- Enable hardware offload if available
- Increase ring-size for AF_PACKET
- Use
profile: mediuminstead of high
No Alerts Generated
# Verify interface monitoring
sudo ethtool -S eth0 | grep -i packet
# Check interface is up
ip link show eth0
# Validate rules loaded
sudo suricatasc -c "list-plugins" /var/run/suricata/suricata.sock