Hello,
I want to install the Suricata-IDS on Debian 12, but its version is suricata_6.0.10-1. Is it OK or should I install the new version manually?
Thank you.
Hello,
I want to install the Suricata-IDS on Debian 12, but its version is suricata_6.0.10-1. Is it OK or should I install the new version manually?
Thank you.
I would suggest at least current stable from the 6 branch - 6.0.13 , ideally current stable 7.0.0
Hello,
Thank you so much for your reply.
So, do I have to install it manually? If yes, the Suricata-IDS 6.0.13 or 7.0.0?
Hello,
I want to use the Suricata-IDS on Debian as an IPS. If I want to compile it from the source code, then what parameters should I consider when compiling?
Thank you.
The Debian stable release (e.g. “bookworm”) regardless of the minor version (e.g. Debian 12.1) always contains the version of Suricata that was released at the time of the release freeze. That was version 6.0.10. It will never be updated in stable to a newer version.
Newer Suricata versions are available outside Debian stable through the “backports” system (Backports - Debian Wiki) which needs to be enabled as a package source explicitly. I’ll prepare backports for bookworm-backports soon.
Hello,
Thank you so much for your reply.
I use Debian 12.1
and I want to use the Suricata-IDS in IPS mode. Do I have to use a special parameter when compiling?
If you want to compile from source, I don’t think you need to provide a special parameter to enable IPS. But as I never used the IPS feature, I can’t say for sure.
If you wait until the package is in bookworm-backports
, then add the backports repository to your sources.list
and then just install suricata
via apt
, you won’t even need to compile from source at all. This might take some time though because the package will have to clear manual review on the Debian side before being available publicly.
Hello,
Thanks again.
How long should I wait?
No idea. It can take weeks, depending on the work load of Debian’s ftpmaster team who have to approve each new package.
TBH if you want to get going as quickly as possible, I suggest you actually compile from source yourself. Just wanted to let you know the options
Hello,
I used the following command to compile the Suricata-IDS:
# ./configure --disable-gccmarch-native --prefix=/usr/ --sysconfdir=/etc --localstatedir=/var --enable-lua --enable-geoip
# make
# make install
1- Does this install Suricata-IDS in the /usr/bin
directory?
2- When I want to run the Suricata-IDS, then it showed me the below error:
Error: conf-yaml-loader: failed to open file: /etc/suricata//suricata.yaml: No such file or directory
Why it use // instead of / ?
Thank you.
1.) It should, since you gave /usr
as the prefix.
2.) I guess, since you have a sysconfdir
of /etc
. Does the file /etc/suricata/suricata.yaml
exist? What was the output of your make
runs, any error messages? please keep in mind that if you want to install system-wide, i.e. into these directories, you need to be root!
Hello,
Thanks again.
I used root user.
I didn’t see any error after running the make && make install
command.
After the installation finished, in the /etc/
directory I didn’t see any directory named suricata
, so I created it manually and copied the suricata.yaml
file from somewhere else in this directory.
There was the same problem with the /var/log/
directory. The directory named suricata
did not exist and I created it manually and created a file named suricata.log
inside it.
What is the problem?
Try make install-full
… Looks like an oops, this isn’t covered in our from-source installation but is required to get rules and configuration installed.
Hello,
Thank you so much for your reply.
So, first I have to delete the directories and files that I have created, then execute the make uninstall
command and finally execute the make install-full
command. Am I right?
Yes, since this is a fresh install, I assume you want to start fresh:
rm -rf /etc/suricata
rm -rf /var/log/suricata
rm -rf /var/lib/suricata
Then make install-full
.
Hello,
Thank you so much.
Hello,
When I installed Suricata-IDS from source code, why is there no services to run via systemctl
?
Thank you.