Suricata 6.0.0 stable packages are now available for Ubuntu on Ubuntu PPA (Launchpad)

More about Suricata 6.0.0 stable features, improvements and release notes :

Suricata 6.0.0 stable packages are now available for Ubuntu on Ubuntu PPA (Launchpad) - Rust enabled.

• 16.04 Xenial
• 18.04 Bionic
• 20.04 Focal

32 and 64 bit packages available with the following architectures -

• amd64
• armhf
• arm64
• ppc64
• i386
• s390x

The default installation in 6.0.0 also includes (available in the package) the tools:

• suricata-update
• suricatactl

You can also get some help of how to use the tools by doing “suricata-update -h” or “suricatactl -h”

The packages are build-in with:

• IPS (nfqueue/AFP)
• All JSON output
• GeoIP
• Unix-Socket
• Lua scripting
• NSS(MD5) enabled
• PIE - Position Independent Executable
• Redis enabled support
• Rust

The Ubuntu

• 18.04 Bionic
• 20.04 Focal

distribution packages are with Hyperscan enabled by default for extra performance.
(Your CPU needs to have the SSSE3 flag. You can check with - cat /proc/cpuinfo)

By community request there is also available “suricata-dbg” (Suricata with enabled debug features) package ready to use out of the box install:

sudo apt-get install suricata-dbg

Suricata 6.0.0 stable is available from our suricata-stable PPA repository.

How to:

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation_-Personal_Package_Archives%28PPA%29

Feedback is welcome!

Trainings and Webinars
See https://suricata_events.eventbrite.com/ for the current list of planned training sessions.

Thank you !

I’ve just tried installing this on a fresh Ubuntu 20.04/Focal box, but when I try to start the service with NFQ enabled I get this error:

Oct 09 12:17:40 focal suricata[209318]:  * NFQUEUE support not found !
Oct 09 12:17:40 focal suricata[209318]:  * Please ensure the nfnetlink_queue module is loaded or built in kernel

Looking at the init.d script in the package it’s being thrown from here:

# /etc/init.d/suricata, lines 51-57:
check_nfqueue() {
if [ ! -e /proc/net/netfilter/nf_queue ] && [ ! -e /proc/net/netfilter/nfnetlink_queue ]; then
    log_failure_msg "NFQUEUE support not found !"
    log_failure_msg "Please ensure the nfnetlink_queue module is loaded or built in kernel"
    exit 5
fi
}

Doing cat /proc/net/netfilter/nf_queue and cat /proc/net/netfilter/nfnetlink_queue both give: “No such file or directory”.

lsmod gives this:

$ lsmod | grep NFQ
xt_NFQUEUE             16384  1
x_tables               40960  3 iptable_filter,ip_tables,xt_NFQUEUE

Are there other packages required for using NFQ? Maybe something has changed in 20.04?

Update; I tried commenting out that check in the init.d script and restarting suricata, and it works perfectly fine (and uses NFQUEUE). After running it for a minute like this, cat /proc/net/netfilter/nfnetlink_queue started giving some expected output instead of “No such file or directory”.

Thank you for the update.
We will cook a fix for Focal for the start up script.

It might apply to other versions as well… I’m not sure that check is useful/necessary in Ubuntu versions above 12/14?

Edit: confirmed the exact same issue (and fix) on Ubuntu 16.

P.S: Hypercan support by default is awesome, thanks!

Thanks for checking it out !