Suricata IPS installation

I’m new to Suricata and I really need help on installing and Configuring Suricata as IPS on Raspberry pi 4

Hi, @gbenga_awo !
Welcome to our forum. :slight_smile:
Could you please tell what have you tried and what exactly do you need help with?

Hi Shivani,

I have been able to install it as IDS but whenever I try installing IPS either I get a rust error version 1.48 error to upgrade in which I tried but have not been successful, dependency errors, suricata service not found and many more different attempts. I need a guide that will assist me in getting this resolved.
I’m running Suricata on Raspberry Pi 4 to prevent DOS attacks on IoT devices. this is for my academic project work. I really need help to archive this work.

I’ll wait to see if others know of something but unfortunately, I’m unaware of such guides for IPS. We should do better there indeed.
But, I suppose we could help you with things like suricata service not found and dependency errors. Could you please share the version of Suricata you’re trying to install and how did you install this? Which OS are you running?
And let’s tackle the issues one at a time.

thanks for your quick response. I’m running version 6.0.6 using the Suricata website installation documentation 6.0.0

First of all, 6.0.6 is rather old, 6.0.13 is out. You said IDS installation worked, but IPS did not. There is no big difference in the installation, except that you might want to include some other libraries like libnfqueue as dependency.

What are the actual steps that you did and what was the output that you received?

Thanks for your response. I will reinstall with 6.0.13 now and see how it goes. I will surely get soon. The major, I mostly is dependance to used. Usually tried different ones. could please direct to where to get dependence for suricata on raspberry pi.

The ./configure output will tell you which packages to install on Debian/Ubuntu which I assume is the base OS used on your Raspi.

Hi Abdreaa,

thanks for your reply and advice. please in quote i encountered while installing make install-full
“make install-rules
make[1]: Entering directory ‘/home/hp/suricata-6.0.13’
LD_LIBRARY_PATH=/usr/local/lib /usr/local/bin/suricata-update
–suricata /usr/local/bin/suricata
–suricata-conf /usr/local/etc/suricata/suricata.yaml
–no-test --no”

thanks in advance

“make install-rules
make[1]: Entering directory ‘/home/hp/suricata-6.0.13’
LD_LIBRARY_PATH=/usr/local/lib /usr/local/bin/suricata-update
–suricata /usr/local/bin/suricata
–suricata-conf /usr/local/etc/suricata/suricata.yaml
–no-test --no-reload
error: pyyaml is required
make[1]: *** [Makefile:930: install-rules] Error 1
make[1]: Leaving directory ‘/home/hp/suricata-6.0.13’
make: *** [Makefile:915: install-full] Error 2”

Make sure PyYAML is installed, this can likely be done with:

apt install python3-yaml

then re-run make install-full.

Hi Jason,

Thanks for your reply. Please after the the python3 and re-rnu make install, the installation seems okay., but unable to start the services.
This what i got after the installation finished “You can now start suricata by running as root something like:
/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0”.

While running the command startup command i got below message:
hp@raspberrypi:~ $ sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0
sudo: /usr/bin/suricata: command not found


In your previous post you ad:

 –suricata /usr/local/bin/suricata 

So this is the path in your case I guess. Please look into the output of the make install and compilation process, it contains those infos.

Hi Andreas,

I’m unable to get any output of the make install using "sudo make install -n "

  1. @raspberrypi:~ $ sudo make -n
    make: *** No targets specified and no makefile found. Stop”

below are see path for surcata
2. sudo find / -name suricata

find: ‘/run/user/1000/gvfs’: Permission denied
/usr/local/bin/suricata
/usr/local/lib/suricata
/usr/local/lib/suricata/python/suricata
/usr/local/share/doc/suricata
/usr/local/share/suricata
/usr/local/etc/suricata
/usr/local/var/lib/suricata
/usr/local/var/log/suricata
/usr/local/var/run/suricata
/home/hp/Downloads/suricata
/home/hp/suricata-6.0.13/src/.libs/suricata
/home/hp/suricata-6.0.13/src/suricata
/home/hp/suricata-6.0.13/python/suricata
/home/hp/suricata-6.0.13/suricata-update/suricata

Why do you pass -n? Also you seem to have found the Suricata binary as I mentioned in /usr/local/bin.

I used -n so that i will not be running the make installation program again.
Now, do I have to run to run the “sudo /usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0”
from this location /usr/local/bin.? Or what do I need to run now and from where, please?

No the actual binary seems to be in /usr/loca/bin and thus sudo /usr/loca/bin/suricata -c ... would be the correct command. It depends on how you did run the build process, what you did pass as arguments and if not, what default was picked up.

I would recommend reading more into the Linux basics and how to run and compile applications. In addition to that for Suricata itself read the documentation at https://docs.suricata.io

Hi Andreas,

Thanks for your reply. It looks running fine from :
hp@raspberrypi:~ $ sudo suricata -T
25/8/2023 – 23:49:38 - - Running suricata under test mode
25/8/2023 – 23:49:38 - - This is Suricata version 6.0.13 RELEASE running in SYSTEM mode
25/8/2023 – 23:49:52 - - Configuration provided was successfully loaded. E

However, when I ran the status command it did not show the active status :
hp@raspberrypi:~ $ sudo systemctl status suricata.service
Unit Suricata. service could not be found.

Did you create a systemd service file? An example one is shipped with Suricata and can be found in etc/ in the Suricata package.

Hi Andreas,

Thank you for your support. However, I was able to install and configure suricata in IPS mode (inline-AFPACKET) and it was able to detect DOS attack and dropped it but the challenges faced was that suricata is showing as dropped on the console but when i try to access the web(port 80) the site was unreachable and when i stop the attack, the web is actively working again. Can you please assist to fix the issues. I want the site to be available when suricata is dropping the DoS attack but reverse is the case i.e Suricata is showing dropped but the site on port 80 is not available. error " This site can’t be reached".

Kind regards,