Install suricata 6.0.1 on Debian 10 from source

I follow the documentation and installing pre-requisite files but the documentation is not complete. For example, I also need to install pip3 YAML which doesn’t mention in the documentation. So let me show how I install this (please correct me for any mistakes in this step). Hopefully this post help others who want to install Suricata on Debian 10:

So this is the first pre-requisite files that I use to install suricata 6.0.1 for Debian 10

apt-get install make autoconf automake libtool

apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev build-essential libpcap-dev \
      libnet1-dev libyaml-0-2 libyaml-dev pkg-config zlib1g zlib1g-dev liblz4-dev \
      libcap-ng-dev libcap-ng0 libmagic-dev libjansson-dev libnspr4-dev \
      libnss3-dev libgeoip-dev liblua5.1-dev libhiredis-dev libevent-dev \
      python-yaml python3-distutils python3-pip 

Notice that I did not install the package rustc and cargo using apt-get because it has bug during suricata compilation (maybe we should update that documentation?).

Bug details -> #976601 - rustc: version in buster fails to build Rust code, aborting with "undefined symbol: llvm.x86.subborrow.64" - Debian Bug report logs
and Bug #4204: rust: undefined symbol: llvm.x86.subborrow.64 - Suricata - Open Information Security Foundation

Then I install this python module using pip3 (not documented):

pip3 install PyYAML

And I remove any existing rustc package:

sudo apt remove --purge rustc

Then I install the latest rustc package using this:

curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y

Source the file

source "$HOME/.cargo/env"

I remove any existing suricata installation with this:

apt-get remove suricata
rm -rf /usr/share/suricata
rm -rf /etc/suricata
rm -rf /var/lib/suricata
rm -rf /var/log/suricata
rm -f /usr/local/bin/suricata
rm -f /etc/default/suricata
rm -f /etc/init.d/suricata
systemctl daemon-reload

Now I’m downloading and installing suricata 6.0.1 like below:

suricata_select_version="6.0.1"
rm -fv "suricata-${suricata_select_version}.tar.gz"
wget "https://www.openinfosecfoundation.org/download/suricata-${suricata_select_version}.tar.gz"
tar xzvf "suricata-${suricata_select_version}.tar.gz"
cd "suricata-${suricata_select_version}/"
./configure --libdir=/usr/lib64 --prefix=/usr/local --sysconfdir=/etc --localstatedir=/var --datarootdir=/usr/local/share --enable-lua --enable-rust
sudo make install-full

Ok, suricata is installed, but it did not produce the service file. I verify this:

root@code:~/suricata-6.0.1# systemctl status suricata
Unit suricata.service could not be found.

So, it couldn’t be started. So, it seems I need to manually create this service file (This does not mention in the documentation). So, I created that service manually:

nano /etc/systemd/system/suricata.service

[Unit]
Description=Suricata IDS/IDP Service
Wants=network.target syslog.target
After=network.target syslog.target
Documentation=man:suricata(8) man:suricatasc(8)
Documentation=https://redmine.openinfosecfoundation.org/projects/suricata/wiki

[Service]
Type=forking
Environment=LD_PREDLOAD=/usr/lib/x86_64-linux-gnu/libtcmalloc_minimal.so.4
# Debug level ---> -v: INFO | -vv: INFO+PERF | -vvv: INFO+PERF+CONFIG | -vvvv: INFO+PERF+CONFIG+DEBUG
# D - means in daemon | -c read config | --pidfile <file> write pidfile on a file
ExecStart=suricata --af-packet -vvv -D -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid
ExecStartPre=rm -f /var/run/suricata.pid
ExecStop=kill $MAINPID && rm -f /var/run/suricata.pid
ExecReload=kill -9 $MAINPID

[Install]
WantedBy=multi-user.target

Then I run

systemctl start suricata
systemctl status suricata

● suricata.service - Suricata IDS/IDP Service
   Loaded: loaded (/etc/systemd/system/suricata.service; disabled; vendor preset: enabled)
   Active: active (running) since Tue 2021-01-19 11:05:35 +08; 2s ago
     Docs: man:suricata(8)
           man:suricatasc(8)
           https://redmine.openinfosecfoundation.org/projects/suricata/wiki
  Process: 28717 ExecStartPre=/usr/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
  Process: 28718 ExecStart=/usr/local/bin/suricata --af-packet -vvv -D -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid (code=exited, status=0/SUCCESS)
 Main PID: 28719 (Suricata-Main)
    Tasks: 1 (limit: 4701)
   Memory: 223.0M
   CGroup: /system.slice/suricata.service
           └─28719 /usr/local/bin/suricata --af-packet -vvv -D -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid

Jan 19 11:05:35 sun.codegix.com suricata[28718]: 19/1/2021 -- 11:05:35 - <Info> - CPUs/cores online: 2
Jan 19 11:05:35 sun.codegix.com suricata[28718]: 19/1/2021 -- 11:05:35 - <Config> - Adding interface eth0 from config file
Jan 19 11:05:35 sun.codegix.com suricata[28718]: 19/1/2021 -- 11:05:35 - <Config> - 'default' server has 'request-body-minimal-inspect-size' set to 32046 and 'request-body-inspect-window' set to 3942 after randomization.
Jan 19 11:05:35 sun.codegix.com suricata[28718]: 19/1/2021 -- 11:05:35 - <Config> - 'default' server has 'response-body-minimal-inspect-size' set to 42771 and 'response-body-inspect-window' set to 15928 after randomization.
Jan 19 11:05:35 sun.codegix.com suricata[28718]: 19/1/2021 -- 11:05:35 - <Config> - SMB stream depth: 0
Jan 19 11:05:35 sun.codegix.com suricata[28718]: 19/1/2021 -- 11:05:35 - <Config> - Protocol detection and parser disabled for modbus protocol.
Jan 19 11:05:35 sun.codegix.com suricata[28718]: 19/1/2021 -- 11:05:35 - <Config> - Protocol detection and parser disabled for enip protocol.
Jan 19 11:05:35 sun.codegix.com suricata[28718]: 19/1/2021 -- 11:05:35 - <Config> - Protocol detection and parser disabled for DNP3.
Jan 19 11:05:35 sun.codegix.com suricata[28718]: 19/1/2021 -- 11:05:35 - <Info> - Found an MTU of 1500 for 'eth0'
Jan 19 11:05:35 sun.codegix.com systemd[1]: Started Suricata IDS/IDP Service.

and now it’s running.

1. Is there any mistakes or maybe something that I can improve in this step for installing suricata 6.0.1 on Debian 10?
2. Also any official way how to write that service file? For example I have doubt using kill -9 $MAINPID. What is the recommend kill signal to stop suricata ?

I need to write documentation for my employees, so hopefully the step I did above is following the best practice how to run Suricata.

Hi, Thank you for the detailed postings.
There is a service file distributed as part of the sources as an example -

Hi there, I got error while starting Suricata

image902×297 66.9 KB

Is there any indication in

/var/log/suricata/suricata-start.log

?

Thank you, I saw that file before. Its last modification was on July 2017 and I think it contains outdated commands. If you look at the existing file, copying and pasting the existing service file will not work.

@dipin I took a guess that your path to suricata binary is wrong, it might not be in /sbin. Copy pasting the service file will not work out of box. I do hope the installer will auto generate the service file.