Thanks to the hard work of Arturo Borrero Gonzalez, Suricata has just been added to the 
Debian ‘backports’ repository. This allows users of Debian stable to run up to date versions of Suricata.
The ‘Backports’ repository makes the Suricata and libhtp packages from Debian Testing available to ‘stable’ users. As ‘testing’ is currently in a freeze, it may take a bit of time before 2.0.5 and libhtp 0.5.16 appear.
Anyway, here is how to use it.
Install
First add backports repo to your sources:
# echo "deb http://http.debian.net/debian wheezy-backports main" > /etc/apt/sources.list.d/backports.list # apt-get update
As explained here http://backports.debian.org/Instructions/, this will not affect your normal packages.
To prove this, check:
# apt-get install suricata -s Conf libhtp1 (0.2.6-2 Debian:7.7/stable [amd64]) Conf suricata (1.2.1-2 Debian:7.7/stable [amd64])
Not what we want, as that is still the old version.
To install Suricata from backports, we need to specify the repo:
# apt-get install -t wheezy-backports suricata -s Conf libhtp1 (0.5.15-1~bpo70+1 Debian Backports:/wheezy-backports [amd64]) Conf suricata (2.0.4-1~bpo70+1 Debian Backports:/wheezy-backports [amd64])
Let’s do it!
# apt-get install -t wheezy-backports suricata ... Setting up suricata (2.0.4-1~bpo70+1) ... [FAIL] suricata disabled, please adjust the configuration to your needs ... failed! [FAIL] and then set RUN to 'yes' in /etc/default/suricata to enable it. ... failed!
Suricata 2.0.4 is now installed, but it’s not yet running.
To see what features have been compiled in, run:
# suricata --build-info This is Suricata version 2.0.4 RELEASE Suricata Configuration: AF_PACKET support: yes PF_RING support: no NFQueue support: yes NFLOG support: no IPFW support: no DAG enabled: no Napatech enabled: no Unix socket enabled: yes Detection enabled: yes libnss support: yes libnspr support: yes libjansson support: yes Prelude support: yes PCRE jit: yes LUA support: yes libluajit: yes libgeoip: no Non-bundled htp: yes Old barnyard2 support: no CUDA enabled: no Suricatasc install: yes
It has Luajit enabled, libjansson for the JSON output, NFQ and AF_PACKET IPS modes, NSS for MD5 checksums and unix sockets. Quite a good feature set.
Run
To get it running, we need a few more steps:
Edit /etc/default/suricata:
1. Change RUN=no to RUN=yes
2. Change LISTENMODE to “af-packet”:
Now lets start it.
# service suricata start Starting suricata in IDS (af-packet) mode... done.
And confirm that it’s running.
# ps aux|grep suricata root 20295 1.8 4.1 200212 42544 ? Ssl 00:50 0:00 /usr/bin/suricata -c /etc/suricata/suricata-debian.yaml --pidfile /var/run/suricata.pid --af-packet -D
Check if we’re seeing traffic:
# tail /var/log/suricata/stats.log -f|grep capture capture.kernel_packets | RxAFPeth01 | 406 capture.kernel_drops | RxAFPeth01 | 0 capture.kernel_packets | RxAFPeth11 | 0 capture.kernel_drops | RxAFPeth11 | 0 capture.kernel_packets | RxAFPeth01 | 411 capture.kernel_drops | RxAFPeth01 | 0 capture.kernel_packets | RxAFPeth11 | 0 capture.kernel_drops | RxAFPeth11 | 0 capture.kernel_packets | RxAFPeth01 | 417 capture.kernel_drops | RxAFPeth01 | 0 capture.kernel_packets | RxAFPeth11 | 0 capture.kernel_drops | RxAFPeth11 | 0 capture.kernel_packets | RxAFPeth01 | 587 capture.kernel_drops | RxAFPeth01 | 0 capture.kernel_packets | RxAFPeth11 | 0 capture.kernel_drops | RxAFPeth11 | 0 capture.kernel_packets | RxAFPeth01 | 593 capture.kernel_drops | RxAFPeth01 | 0 capture.kernel_packets | RxAFPeth11 | 0 capture.kernel_drops | RxAFPeth11 | 0
Logging
As the init script starts Suricata in daemon mode, we need to enable logging to file:
Edit /etc/suricata/suricata-debian.yaml and go to the “logging:” section, there change the “file” portion to look like:
- file:
enabled: yes
filename: /var/log/suricata/suricata.log
Note: in the YAML indentation matters, so make sure it’s exactly right.
Rules
Oinkmaster is automatically installed, so lets use that:
First create the rules directory:
mkdir /etc/suricata/rules/
Open /etc/oinkmaster.conf in your editor and add:
url = https://rules.emergingthreats.net/open/suricata-2.0/emerging.rules.tar.gz
Then run:
# oinkmaster -C /etc/oinkmaster.conf -o /etc/suricata/rules Loading /etc/oinkmaster.conf Downloading file from https://rules.emergingthreats.net/open/suricata-2.0/emerging.rules.tar.gz... done. ...
Edit /etc/suricata/suricata-debian.yaml and change “default-rule-path” to:
default-rule-path: /etc/suricata/rules
Finally, restart to load the new rules:
# service suricata restart
Validate
Now that Suricata is running with rules, lets see if it works:
# wget http://www.testmyids.com --2015-01-08 01:21:30-- http://www.testmyids.com/ Resolving www.testmyids.com (www.testmyids.com)... 82.165.177.154
This should trigger a specific rule:
# tail /var/log/suricata/fast.log
01/08/2015-01:21:30.870346 [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 82.165.177.154:80 -> 192.168.122.181:59190
Success! š
Thanks
Thanks to Arturo Borrero Gonzalez for taking on this work for us. Also many thanks for Pierre Chifflier for maintaining the Suricata and libhtp packages in Debian.
Inliniac 
After following these instructions, every attempt to run Suricata (including “suricata –build-info”) failed with the message “Illegal instruction”. Running Raspbian on a Raspberry Pi B.
When we see that in other cases it’s generally caused by the gcc flag -march=native. Not sure if the backports would have that.
Just got Suricata 2.0.7 working inline (IPS) on RPi v3 on Jessie. Installed with very simple apt-get install suricata. Getting the Pi to work inline was the challenge. FYI the GCC march native enabled flag is “no”. Other GCC flags are…GCC Binary=gcc. GCC Protect enabled=yes. GCC Profile enabled=no.
If you need any info or anything tested let me know? Will be trying to build Suricata v 3.1-1 using jessie-back ports next, and will let you all know if this is successful or not.
Should have mentioned that the GCC version in this working build is 4.9.2 C Version 199901.