Deploys and configures Suricata IDS/IPS with Emerging Threats rulesets, EVE JSON logging, and custom rules for real-time network traffic inspection, threat detection, and integration with SIEM platforms for centralized security monitoring.
Do not use as a standalone security solution without complementary controls, for encrypted traffic inspection without TLS decryption capabilities, or on systems with insufficient CPU/memory for the expected traffic volume.
suricata --build-info)# Install from PPA (Ubuntu/Debian)
sudo add-apt-repository ppa:oisf/suricata-stable
sudo apt update
sudo apt install -y suricata suricata-update jq
# Verify installation
suricata --build-info | grep -E "Version|AF_PACKET|NFQueue"
# Or install from source for latest features
sudo apt install -y libpcre2-dev build-essential autoconf automake libtool \
libpcap-dev libnet1-dev libyaml-dev libjansson-dev libcap-ng-dev \
libmagic-dev libnetfilter-queue-dev libhiredis-dev rustc cargo cbindgen
git clone https://github.com/OISF/suricata.git
cd suricata && git clone https://github.com/OISF/libhtp.git -b 0.5.x
./autogen.sh && ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var \
--enable-nfqueue --enable-af-packet
make -j$(nproc) && sudo make install install-conf
# Disable NIC offloading features
sudo ethtool -K eth1 gro off lro off tso off gso off rx off tx off sg off
# Set interface to promiscuous mode
sudo ip link set eth1 promisc on
# For high-performance deployments, configure AF_PACKET with multiple threads
# Edit /etc/suricata/suricata.yaml
# /etc/suricata/suricata.yaml (key sections)
# Network variables