Hello,
I want to install the Suricata-IDS on Debian 12, but its version is suricata_6.0.10-1. Is it OK or should I install the new version manually?
Thank you.
I would suggest at least current stable from the 6 branch - 6.0.13 , ideally current stable 7.0.0
1 Like
Hello,
Thank you so much for your reply.
So, do I have to install it manually? If yes, the Suricata-IDS 6.0.13 or 7.0.0?
Hello,
I want to use the Suricata-IDS on Debian as an IPS. If I want to compile it from the source code, then what parameters should I consider when compiling?
Thank you.
The Debian stable release (e.g. “bookworm”) regardless of the minor version (e.g. Debian 12.1) always contains the version of Suricata that was released at the time of the release freeze. That was version 6.0.10. It will never be updated in stable to a newer version.
Newer Suricata versions are available outside Debian stable through the “backports” system (Backports - Debian Wiki) which needs to be enabled as a package source explicitly. I’ll prepare backports for bookworm-backports soon.
1 Like
Hello,
Thank you so much for your reply.
I use Debian 12.1 and I want to use the Suricata-IDS in IPS mode. Do I have to use a special parameter when compiling?
If you want to compile from source, I don’t think you need to provide a special parameter to enable IPS. But as I never used the IPS feature, I can’t say for sure.
If you wait until the package is in bookworm-backports, then add the backports repository to your sources.list and then just install suricata via apt, you won’t even need to compile from source at all. This might take some time though because the package will have to clear manual review on the Debian side before being available publicly.
1 Like
Hello,
Thanks again.
How long should I wait?
No idea. It can take weeks, depending on the work load of Debian’s ftpmaster team who have to approve each new package.
TBH if you want to get going as quickly as possible, I suggest you actually compile from source yourself. Just wanted to let you know the options 
1 Like
Hello,
I used the following command to compile the Suricata-IDS:
# ./configure --disable-gccmarch-native --prefix=/usr/ --sysconfdir=/etc --localstatedir=/var --enable-lua --enable-geoip
# make
# make install1- Does this install Suricata-IDS in the /usr/bin directory?
2- When I want to run the Suricata-IDS, then it showed me the below error:
Error: conf-yaml-loader: failed to open file: /etc/suricata//suricata.yaml: No such file or directory
Why it use // instead of / ?
Thank you.
1.) It should, since you gave /usr as the prefix.
2.) I guess, since you have a sysconfdir of /etc. Does the file /etc/suricata/suricata.yaml exist? What was the output of your make runs, any error messages? please keep in mind that if you want to install system-wide, i.e. into these directories, you need to be root!
1 Like
Hello,
Thanks again.
I used root user.
I didn’t see any error after running the make && make install command.
After the installation finished, in the /etc/ directory I didn’t see any directory named suricata, so I created it manually and copied the suricata.yaml file from somewhere else in this directory.
There was the same problem with the /var/log/ directory. The directory named suricata did not exist and I created it manually and created a file named suricata.log inside it.
What is the problem?
Try make install-full… Looks like an oops, this isn’t covered in our from-source installation but is required to get rules and configuration installed.
1 Like
Hello,
Thank you so much for your reply.
So, first I have to delete the directories and files that I have created, then execute the make uninstall command and finally execute the make install-full command. Am I right?
Yes, since this is a fresh install, I assume you want to start fresh:
rm -rf /etc/suricatarm -rf /var/log/suricatarm -rf /var/lib/suricata
Then make install-full.
1 Like
Hello,
Thank you so much.
Hello,
When I installed Suricata-IDS from source code, why is there no services to run via systemctl?
Thank you.