Suricata IPS installation

gbenga_awo · August 24, 2023, 12:58pm

I’m new to Suricata and I really need help on installing and Configuring Suricata as IPS on Raspberry pi 4

sbhardwaj · August 25, 2023, 7:33am

Hi, @gbenga_awo !
Welcome to our forum.
Could you please tell what have you tried and what exactly do you need help with?

gbenga_awo · August 25, 2023, 9:16am

Hi Shivani,

I have been able to install it as IDS but whenever I try installing IPS either I get a rust error version 1.48 error to upgrade in which I tried but have not been successful, dependency errors, suricata service not found and many more different attempts. I need a guide that will assist me in getting this resolved.
I’m running Suricata on Raspberry Pi 4 to prevent DOS attacks on IoT devices. this is for my academic project work. I really need help to archive this work.

sbhardwaj · August 25, 2023, 9:43am

I’ll wait to see if others know of something but unfortunately, I’m unaware of such guides for IPS. We should do better there indeed.
But, I suppose we could help you with things like suricata service not found and dependency errors. Could you please share the version of Suricata you’re trying to install and how did you install this? Which OS are you running?
And let’s tackle the issues one at a time.

gbenga_awo · August 25, 2023, 10:15am

thanks for your quick response. I’m running version 6.0.6 using the Suricata website installation documentation 6.0.0

Andreas_Herz · August 25, 2023, 11:20am

First of all, 6.0.6 is rather old, 6.0.13 is out. You said IDS installation worked, but IPS did not. There is no big difference in the installation, except that you might want to include some other libraries like libnfqueue as dependency.

What are the actual steps that you did and what was the output that you received?

gbenga_awo · August 25, 2023, 12:13pm

Thanks for your response. I will reinstall with 6.0.13 now and see how it goes. I will surely get soon. The major, I mostly is dependance to used. Usually tried different ones. could please direct to where to get dependence for suricata on raspberry pi.

Andreas_Herz · August 25, 2023, 12:17pm

The ./configure output will tell you which packages to install on Debian/Ubuntu which I assume is the base OS used on your Raspi.

gbenga_awo · August 25, 2023, 4:15pm

Hi Abdreaa,

thanks for your reply and advice. please in quote i encountered while installing make install-full
“make install-rules
make[1]: Entering directory ‘/home/hp/suricata-6.0.13’
LD_LIBRARY_PATH=/usr/local/lib /usr/local/bin/suricata-update
–suricata /usr/local/bin/suricata
–suricata-conf /usr/local/etc/suricata/suricata.yaml
–no-test --no”

thanks in advance

gbenga_awo · August 25, 2023, 4:19pm

“make install-rules
make[1]: Entering directory ‘/home/hp/suricata-6.0.13’
LD_LIBRARY_PATH=/usr/local/lib /usr/local/bin/suricata-update
–suricata /usr/local/bin/suricata
–suricata-conf /usr/local/etc/suricata/suricata.yaml
–no-test --no-reload
error: pyyaml is required
make[1]: *** [Makefile:930: install-rules] Error 1
make[1]: Leaving directory ‘/home/hp/suricata-6.0.13’
make: *** [Makefile:915: install-full] Error 2”

ish · August 25, 2023, 4:21pm

Make sure PyYAML is installed, this can likely be done with:

apt install python3-yaml

then re-run make install-full.

gbenga_awo · August 25, 2023, 5:58pm

Hi Jason,

Thanks for your reply. Please after the the python3 and re-rnu make install, the installation seems okay., but unable to start the services.
This what i got after the installation finished “You can now start suricata by running as root something like:
/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0”.

While running the command startup command i got below message:
hp@raspberrypi:~ $ sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0
sudo: /usr/bin/suricata: command not found

Andreas_Herz · August 25, 2023, 7:15pm

In your previous post you ad:

 –suricata /usr/local/bin/suricata

So this is the path in your case I guess. Please look into the output of the make install and compilation process, it contains those infos.

gbenga_awo · August 25, 2023, 7:49pm

Hi Andreas,

I’m unable to get any output of the make install using "sudo make install -n "

“@raspberrypi:~ $ sudo make -n
make: *** No targets specified and no makefile found. Stop”

below are see path for surcata
2. sudo find / -name suricata

find: ‘/run/user/1000/gvfs’: Permission denied
/usr/local/bin/suricata
/usr/local/lib/suricata
/usr/local/lib/suricata/python/suricata
/usr/local/share/doc/suricata
/usr/local/share/suricata
/usr/local/etc/suricata
/usr/local/var/lib/suricata
/usr/local/var/log/suricata
/usr/local/var/run/suricata
/home/hp/Downloads/suricata
/home/hp/suricata-6.0.13/src/.libs/suricata
/home/hp/suricata-6.0.13/src/suricata
/home/hp/suricata-6.0.13/python/suricata
/home/hp/suricata-6.0.13/suricata-update/suricata

Andreas_Herz · August 25, 2023, 8:03pm

Why do you pass -n? Also you seem to have found the Suricata binary as I mentioned in /usr/local/bin.

gbenga_awo · August 25, 2023, 8:17pm

I used -n so that i will not be running the make installation program again.
Now, do I have to run to run the “sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0”
from this location /usr/local/bin.? Or what do I need to run now and from where, please?

Andreas_Herz · August 25, 2023, 8:23pm

No the actual binary seems to be in /usr/loca/bin and thus sudo /usr/loca/bin/suricata -c ... would be the correct command. It depends on how you did run the build process, what you did pass as arguments and if not, what default was picked up.

I would recommend reading more into the Linux basics and how to run and compile applications. In addition to that for Suricata itself read the documentation at https://docs.suricata.io

gbenga_awo · August 25, 2023, 11:04pm

Hi Andreas,

Thanks for your reply. It looks running fine from :
hp@raspberrypi:~ $ sudo suricata -T
25/8/2023 – 23:49:38 - - Running suricata under test mode
25/8/2023 – 23:49:38 - - This is Suricata version 6.0.13 RELEASE running in SYSTEM mode
25/8/2023 – 23:49:52 - - Configuration provided was successfully loaded. E

However, when I ran the status command it did not show the active status :
hp@raspberrypi:~ $ sudo systemctl status suricata.service
Unit Suricata. service could not be found.

Andreas_Herz · August 31, 2023, 5:39am

Did you create a systemd service file? An example one is shipped with Suricata and can be found in etc/ in the Suricata package.

gbenga_awo · September 3, 2023, 6:06pm

Hi Andreas,

Thank you for your support. However, I was able to install and configure suricata in IPS mode (inline-AFPACKET) and it was able to detect DOS attack and dropped it but the challenges faced was that suricata is showing as dropped on the console but when i try to access the web(port 80) the site was unreachable and when i stop the attack, the web is actively working again. Can you please assist to fix the issues. I want the site to be available when suricata is dropping the DoS attack but reverse is the case i.e Suricata is showing dropped but the site on port 80 is not available. error " This site can’t be reached".

Kind regards,

Topic		Replies	Views
Suricata-IDS and Debian Help	16	511	September 28, 2023
[Error during Suricata installation]	21	1245	July 15, 2023
Installation Failure Help	3	572	April 25, 2022
Can IPS/IDS Suricata run on arm64? Help ips , suricata	1	139	February 2, 2024
Suricata Installation Walkthrough Help ips , community , rules , suricata	1	599	April 16, 2023

Suricata IPS installation

Related Topics