Install and Setup Suricata on Rocky Linux

Last Updated:

In this tutorial, you will learn how to install and setup Suricata on Rocky Linux. Suricata is a free and open source network threat detection engine. It can function as an intrusion detection (IDS) engine, inline intrusion prevention system (IPS), network security monitoring (NSM) as well as offline pcap processing tool. It works by inspecting network traffic using rules and signature as well as Lua scripting support for detection of complex threats.

Suricata offers quite a number of features. Read about them on All Suricata features page.

Install and Setup Suricata on Rocky Linux

System Requirements

Well, Suricata is multi-threaded, hence, if you have enough cores, you can avail as enough as possible. Also, allocate enough RAM.

In this demo, we have allocated 2 vCPUs and 4GB RAM to our Suricata server.

Install Suricata on Rocky Linux

There are various ways in which you can install Suricata on Rocky Linux;

Install Suricata on Rocky Linux from Source

Run system update

Update your system package by running the command below

dnf update
Install Required Build tools and Dependencies

There are a number of package dependencies and build tools required for a successful build and install of Suricata on Rocky Linux from the source.

dnf config-manager --set-enabled powertools
dnf install diffutils file-devel gcc jansson-devel \
make nss-devel libyaml-devel libcap-ng-devel \
libpcap-devel pcre-devel python3 python3-pyyaml \
rust-toolset zlib-devel curl wget tar lua lua-devel \
lz4-devel -y
Download Suricata Source Code

Download the latest stable release Suricata source code from Suricata downloads page.

As of this writing, Suricata 6.0.5 is the latest stable release version.

Replace the value of the VER variable below with the current release version number of Suricata.

wget${VER}.tar.gz -P /tmp
Extract Suricata Source Code

Once the download is complete, extract the source code;

cd /tmp
tar xzf suricata-${VER}.tar.gz
Build and Install Suricata on Rocky Linux

Navigate to the source directory and build and install Suricata on Rocky Linux.

cd suricata-${VER}

Run the configure script to adapt Suricata to the system and verify that all required dependencies are in place.

./configure --sysconfdir=/etc --localstatedir=/var --prefix=/usr/ --enable-lua --enable-geopip 

The command installs Suricata binary into /usr/bin/suricata, have the config in /etc/suricata and use /var/log/suricata as log directory.

For more build options, refer to ./configure --help.

Summary of the configuration;

Suricata Configuration:
  AF_PACKET support:                       yes
  eBPF support:                            no
  XDP support:                             no
  PF_RING support:                         no
  NFQueue support:                         no
  NFLOG support:                           no
  IPFW support:                            no
  Netmap support:                          no 
  DAG enabled:                             no
  Napatech enabled:                        no
  WinDivert enabled:                       no

  Unix socket enabled:                     yes
  Detection enabled:                       yes

  Libmagic support:                        yes
  libnss support:                          yes
  libnspr support:                         yes
  libjansson support:                      yes
  hiredis support:                         no
  hiredis async with libevent:             no
  Prelude support:                         no
  PCRE jit:                                yes
  LUA support:                             yes
  libluajit:                               no
  GeoIP2 support:                          no
  Non-bundled htp:                         no
  Hyperscan support:                       no
  Libnet support:                          no
  liblz4 support:                          yes
  HTTP2 decompression:                     no

  Rust support:                            yes
  Rust strict mode:                        no
  Rust compiler path:                      /usr/bin/rustc
  Rust compiler version:                   rustc 1.54.0 (Red Hat 1.54.0-3.module+el8.5.0+712+d335422a)
  Cargo path:                              /usr/bin/cargo
  Cargo version:                           cargo 1.54.0
  Cargo vendor:                            yes

  Python support:                          yes
  Python path:                             /usr/bin/python3
  Python distutils                         yes
  Python yaml                              yes
  Install suricatactl:                     yes
  Install suricatasc:                      yes
  Install suricata-update:                 yes

  Profiling enabled:                       no
  Profiling locks enabled:                 no

  Plugin support (experimental):           yes

Development settings:
  Coccinelle / spatch:                     no
  Unit tests enabled:                      no
  Debug output enabled:                    no
  Debug validation enabled:                no

Generic build parameters:
  Installation prefix:                     /usr
  Configuration directory:                 /etc/suricata/
  Log directory:                           /var/log/suricata/

  --prefix                                 /usr
  --sysconfdir                             /etc
  --localstatedir                          /var
  --datarootdir                            /usr/share

  Host:                                    x86_64-pc-linux-gnu
  Compiler:                                gcc (exec name) / gcc (real)
  GCC Protect enabled:                     no
  GCC march native enabled:                yes
  GCC Profile enabled:                     no
  Position Independent Executable enabled: no
  CFLAGS                                   -g -O2 -std=c11 -march=native -I${srcdir}/../rust/gen -I${srcdir}/../rust/dist

To build and install run 'make' and 'make install'.

You can run 'make install-conf' if you want to install initial configuration
files to /etc/suricata/. Running 'make install-full' will install configuration
and rules and provide you a ready-to-run suricata.

To install Suricata into /usr/bin/suricata, have the config in
/etc/suricata and use /var/log/suricata as log dir, use:
./configure --prefix=/usr/ --sysconfdir=/etc/ --localstatedir=/var/

Compile and install Suricata, Suricata rules and configurations.

make install-full

Sample output;

make install-rules
make[1]: Entering directory '/tmp/suricata-6.0.5'
LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata-update \
	--suricata /usr/bin/suricata \
	--suricata-conf /etc/suricata/suricata.yaml \
	--no-test --no-reload
29/4/2022 -- 04:36:02 -  -- Using data-directory /var/lib/suricata.
29/4/2022 -- 04:36:02 -  -- Using /usr/share/suricata/rules for Suricata provided rules.
29/4/2022 -- 04:36:02 -  -- Found Suricata version 6.0.5 at /usr/bin/suricata.
29/4/2022 -- 04:36:02 -  -- Loading /etc/suricata/suricata.yaml
29/4/2022 -- 04:36:02 -  -- Disabling rules for protocol http2
29/4/2022 -- 04:36:02 -  -- Disabling rules for protocol modbus
29/4/2022 -- 04:36:02 -  -- Disabling rules for protocol dnp3
29/4/2022 -- 04:36:02 -  -- Disabling rules for protocol enip
29/4/2022 -- 04:36:02 -  -- No sources configured, will use Emerging Threats Open
29/4/2022 -- 04:36:02 -  -- Fetching
 100% - 3276257/3276257               
29/4/2022 -- 04:36:10 -  -- Done.
29/4/2022 -- 04:36:10 -  -- Loading distribution rule file /usr/share/suricata/rules/app-layer-events.rules
29/4/2022 -- 04:36:10 -  -- Loading distribution rule file /usr/share/suricata/rules/decoder-events.rules
29/4/2022 -- 04:36:10 -  -- Loading distribution rule file /usr/share/suricata/rules/dhcp-events.rules
29/4/2022 -- 04:36:10 -  -- Loading distribution rule file /usr/share/suricata/rules/dnp3-events.rules
29/4/2022 -- 04:36:10 -  -- Loading distribution rule file /usr/share/suricata/rules/dns-events.rules
29/4/2022 -- 04:36:10 -  -- Loading distribution rule file /usr/share/suricata/rules/files.rules
29/4/2022 -- 04:36:10 -  -- Loading distribution rule file /usr/share/suricata/rules/http-events.rules
29/4/2022 -- 04:36:10 -  -- Loading distribution rule file /usr/share/suricata/rules/ipsec-events.rules
29/4/2022 -- 04:36:10 -  -- Loading distribution rule file /usr/share/suricata/rules/kerberos-events.rules
29/4/2022 -- 04:36:10 -  -- Loading distribution rule file /usr/share/suricata/rules/modbus-events.rules
29/4/2022 -- 04:36:10 -  -- Loading distribution rule file /usr/share/suricata/rules/nfs-events.rules
29/4/2022 -- 04:36:10 -  -- Loading distribution rule file /usr/share/suricata/rules/ntp-events.rules
29/4/2022 -- 04:36:10 -  -- Loading distribution rule file /usr/share/suricata/rules/smb-events.rules
29/4/2022 -- 04:36:10 -  -- Loading distribution rule file /usr/share/suricata/rules/smtp-events.rules
29/4/2022 -- 04:36:10 -  -- Loading distribution rule file /usr/share/suricata/rules/stream-events.rules
29/4/2022 -- 04:36:10 -  -- Loading distribution rule file /usr/share/suricata/rules/tls-events.rules
29/4/2022 -- 04:36:10 -  -- Ignoring file rules/emerging-deleted.rules
29/4/2022 -- 04:36:13 -  -- Loaded 33248 rules.
29/4/2022 -- 04:36:13 -  -- Disabled 14 rules.
29/4/2022 -- 04:36:13 -  -- Enabled 0 rules.
29/4/2022 -- 04:36:13 -  -- Modified 0 rules.
29/4/2022 -- 04:36:13 -  -- Dropped 0 rules.
29/4/2022 -- 04:36:13 -  -- Enabled 131 rules for flowbit dependencies.
29/4/2022 -- 04:36:13 -  -- Creating directory /var/lib/suricata/rules.
29/4/2022 -- 04:36:13 -  -- Backing up current rules.
29/4/2022 -- 04:36:13 -  -- Writing rules to /var/lib/suricata/rules/suricata.rules: total: 33248; enabled: 25845; added: 33248; removed 0; modified: 0
29/4/2022 -- 04:36:13 -  -- Writing /var/lib/suricata/rules/classification.config
29/4/2022 -- 04:36:13 -  -- Skipping test, disabled by configuration.
29/4/2022 -- 04:36:13 -  -- Done.

You can now start suricata by running as root something like:
  /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0

If a library like is not found, you can run suricata with:
  LD_LIBRARY_PATH=/usr/lib /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0

The Emerging Threats Open rules are now installed. Rules can be
updated and managed with the suricata-update tool.

For more information please see:

make[1]: Leaving directory '/tmp/suricata-6.0.5'

Suricata is now installed from sources on Rocky Linux.

Install Suricata on Rocky Linux from EPEL Repos

For a seamless installation of Suricata on Rocky Linux, using EPEL repos to install it is a sure bet.

Install EPEL Repos on Rocky Linux
dnf install epel-release
Install Suricata from EPEL Repos on Rocky Linux
dnf info suricata

Available Packages
Name         : suricata
Version      : 5.0.8
Release      : 1.el8
Architecture : x86_64
Size         : 2.3 M
Source       : suricata-5.0.8-1.el8.src.rpm
Repository   : epel
Summary      : Intrusion Detection System
URL          :
License      : GPLv2

Unfortunately, as of this writing, the EPEL repos on Rocky Linux provides Suricata 5.0.8.

Thus, installing Suricata from source is the surest way to get the latest version running.

If you want to install this this version, however, just execute the command;

dnf install suricata -y

Suricata Rules

Suricata utilizes various rule sets/signatures to detect and alert on matching threats. Rules are also known as Signatures.  Emerging ThreatsEmerging Threats Pro and source fire’s VRT are the most commonly used rules.

In most cases, you can find the rules files under /etc/suricata/rules/. This is when you install Suricata from repos.

ls -1 /etc/suricata/rules/

Emergency Threat rules are usually stored as /var/lib/suricata/rules/suricata.rules.

The ET Open rules, suricata.rules, usually contains all the rules defined on the rules file located under the /etc/suricata/rules/.

To install and update Emergency Threat rules, use the suricata-update command.


This downloads and installs suricata.rules.

A rule/signature consists of the following sections:

  • The action, that determines what happens when the signature matches.
  • The header, defining the protocol, IP addresses, ports and direction of the rule.
  • The rule options, defining the specifics of the rule.
alert ip any any -> any any (msg:"SURICATA Applayer Mismatch protocol both directions"; flow:established; app-layer-event:applayer_mismatch_protocol_both_directions; flowint:applayer.anomaly.count,+,1; classtype:protocol-command-decode; sid:2260000; rev:1;)

Read more on introduction to Suricata rules.

Suricata Basic Setup

/etc/suricata/suricata.yaml is the default Suricata configuration file.

The configuration file contains a lot of configurable options. However, for our basic setup, we will only focus on the network interface on which Suricata is listening on and the IP address attached to that interface.

To find the interface and the IP address, run the command below;

ip --brief add

lo               UNKNOWN ::1/128 
enp0s3           UP    
enp0s8           UP    fe80::a00:27ff:fe42:2ef5/64 
virbr0           DOWN  
virbr0-nic       DOWN

In our case, our interface is enp0s8 and the IP address is

Open and edit the Suricata config file.

vim /etc/suricata/suricata.yaml

Under the vars section, you need to configure Suricata to differentiate between your internal network to be protected and external network. This can be done by defining the correct values for the HOME_NET and EXTERNAL_NET variables respectively under the address groups.

The HOME_NET variable should include the IP address of the interface on which Suricata is listening on and all the local networks to protect.

The EXTERNAL_NET variables should define any IP or network that is not local.

  # more specific is better for alert accuracy and performance
    #HOME_NET: "[,,]"
    HOME_NET: "[]"
    #HOME_NET: "[]"
    #HOME_NET: "[]"
    #HOME_NET: "[]"
    #HOME_NET: "any"


Under the af-packet section, set the value of the interface to your interface name.

# Linux high speed capture support
  - interface: enp0s8

Save and exit the configuration file.

Specify Suricata Rules

Define the Suricata rules-files to use. We are using the default ET rules in this demo;

default-rule-path: /var/lib/suricata/rules

  - suricata.rules

Disable Packet Offloading

Disable Suricata packet offloading by disabling interface Large Receive Offload (LRO)/Generic Receive Offload (GRO);

ethtool -K <interface> gro off lro off

Replace <interface> with your interface.

First check if these features are enabled;

ethtool -k enp0s8 | grep -iE "generic|large"
	tx-checksum-ip-generic: on
generic-segmentation-offload: on
generic-receive-offload: off
large-receive-offload: off [fixed]

If enabled, disable by running the command below;

ethtool -K enp0s8 gro off lro off

Running Suricata

You can run Suricata on foreground using the command;

suricata -c /etc/suricata/suricata.yaml -i enp0s8

To run it as daemon in the background;

suricata -D -c /etc/suricata/suricata.yaml -i enp0s8

Suricata logging;

To check if Suricata is running check the Suricata log:

tail /var/log/suricata/suricata.log

You should see such a line;

29/4/2022 -- 05:48:48 -  - Found an MTU of 1500 for 'enp0s8'
29/4/2022 -- 05:48:48 -  - Found an MTU of 1500 for 'enp0s8'
29/4/2022 -- 05:48:48 -  - fast output device (regular) initialized: fast.log
29/4/2022 -- 05:48:48 -  - eve-log output device (regular) initialized: eve.json
29/4/2022 -- 05:48:48 -  - stats output device (regular) initialized: stats.log
29/4/2022 -- 05:48:48 -  - Running in live mode, activating unix socket
29/4/2022 -- 05:48:49 -  - 1 rule files processed. 25845 rules successfully loaded, 0 rules failed
29/4/2022 -- 05:48:49 -  - Threshold config parsed: 0 rule(s) found
29/4/2022 -- 05:48:50 -  - 25848 signatures processed. 1244 are IP-only rules, 4128 are inspecting packet payload, 20272 inspect application layer, 108 are decoder event only

To check Suricata statistics;

tail -f /var/log/suricata/stats.log

To check Suricata alert logs;

tail -f /var/log/suricata/fast.log

Suricata can also write logs in EVE Json output. The default log file is;

tail -f /var/log/suricata/eve.json

Check our other guide on how to read Suricata Eve JSON logs.

Testing Suricata Rules

In this demo, we are using the default ET Suricata rules. If you have created you own custom rules, be sure to test the Suricata rules for syntax errors;

suricata -c /etc/suricata/suricata.yaml -T -v

Perform SSH DDoS Test Attack

On another system, install hping3 tool and perform an SSH DDoS test attack.

dnf install hping3

Then attack SSH on the server running Suricata.

hping3 -S -p 22 --flood --rand-source

Refer to man hping3.

While hping is running, tail the alert logs on Suricata server;

tail -f /var/log/suricata/eve.json

You should see such log lines;


Check the stats;

cat /var/log/suricata/stats.log

With that simple test, we can see that Suricata is setup and running well using the default Emergency Threat rules.

That marks the end of our guide on how to setup Suricata on Rocky Linux.


Read more on Suricata User Guide.

Related Tutorials

Install and Setup Suricata on Ubuntu 18.04

Install and Setup Suricata on Ubuntu 22.04/Ubuntu 20.04

Other Rocky Linux Tutorials

Setup IPSec VPN server with Libreswan on Rocky Linux


We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
Co-founder of, Linux Tips and Tutorials. Linux/Unix admin and author at

Leave a Comment