This is a getting started guide for Suricata on RedHat Enterprise Linux and CentOS, including rebuilds likes AlmaLinux and RockyLinux. It should also be applicable to Fedora.
The OISF provides Suricata RPMs for RHEL 7 and newer. The main benefit of the OISF RPMs is that an RPM repository is provided for each supported version of Suricata allowing you to track the latest 6.0 or 7.0 patch releases.
yum install epel-release yum-plugin-copr yum copr enable @oisf/suricata-7.0 yum install suricata
Please see Guide: Suricata RPMs for CentOS and Fedora for more information on the OISF provided RPMs as well as installing other supported versions of Suricata.
Suricata can also be installed from EPEL, however these packages are not maintained or tested by the OISF, and may not be the latest version due to policies outside our control.
sudo yum -y install epel-release sudo yum -y install suricata
A note on permissions: The Suricata RPM will create a group,
suricatawhich Suricata will run-as after startup. By adding user accounts to this group, users can view the logs as well as run
sudoor becoming root.
After installation, it is recommended to add your user to the
suricata group. You will need to logout and log back in again to become a member of this group. If you choose to not add yourself to the
suricata group you will have to prefix the
suricata-update commands with
Suricata does not ship with any rules. To get the Emerging Threats Open ruleset simply run:
The network interface that Suricata listens on when installed with the RPM package is set in the file
/etc/sysconfig/suricata. The default version of this file specifies the
eth0 interface but it is very likely you’ll need to change this. For example, if your interface is named
enp4s0f0, then you will need to modify the
OPTIONS line in
/etc/sysconfig/suricata to look like:
OPTIONS="-i enp4s0f0 --user suricata "
If you are setting up Suricata to use a different capture method set us NFQUEUE, or PF_RING, this is where you would set that option by replace
-i. For example, to use NFQUEUE you would use
-q 0instead of
The Suricata RPM is setup to be started and stopped with
To start Suricata run:
systemctl start suricata
To stop Suricata:
systemctl stop suricata
To have Suricata automatically started on boot:
systemctl enable suricata
The configuration file is located at
The Suricata RPM is bundled with Suricata-Update, which can be used to update your rules. By default the Emerging Threats Open ruleset will be used until another rule source is configured. To update your rules, run:
Note: If the above command fails with a permission error please consider adding your user to the
suricatagroup. This will allow you run
suricata-updateas a non-root user which is recommended. Alternatively you could run
Then if Suricata is currently running and rule reload can be triggered with the following command:
sudo systemctl reload suricata
The log directory is located at
/var/log/suricata, with the Eve log file being found at
/var/log/suricata/eve.json. If your user belongs to the
suricata group you should have read access to these files. Otherwise you may have to become root to view the log files.
If you would like to use IPS mode for protecting the host that Suricata is running on, a few
direct rules must be added to firewalld. These rules can be added with the following commands:
firewall-cmd --permanent --direct --add-rule \ ipv4 filter INPUT 0 -j NFQUEUE
firewall-cmd --permanent --direct --add-rule \ ipv4 filter OUTPUT 0 -j NFQUEUE
Note: To operate in a fail-open manner, where packets will still be passed if Suricata is not running, add
--queue-bypassto the end of the following commands.
Then reload firewalld with
To protect machines behind the Suricata host in the case where its acting like a router, a single
direct rule must be added to firewalld. This rule can be added with the following command:
firewall-cmd --permanent --direct --add-rule \ ipv4 filter FORWARD 0 -j NFQUEUE