Suricata 1.4.4 Released – A Network Intrusion Detection, Prevention and Security Monitoring System

Suricata is an open source high performance modern Network Intrusion Detection, Prevention and Security Monitoring System for Unix/Linux, FreeBSD and Windows based systems. It was developed and owned by a non-profit foundation the OISF (Open Information Security Foundation).

Recently, the OISF project team announced the release of Suricata 1.4.4 with minor but crucial updates and fixed some essential bugs over the previous release.

Install Suricata Intrusion Detection
Install Suricata Intrusion Detection and Prevention

Suricata Features


Suricata is a rule-based Intrusion Detection and Prevention engine that make use of externally developed rules sets to monitor network traffic, as well as able to handle multiple gigabyte traffic and gives email alerts to the System/Network administrators.


Suricata provides speed and importance in network traffic determination. The engine is developed to apply the increased processing power offered by modern multi-core hardware chip sets.

Automatic Protocol Detection

The engine not only provides keywords for TCP, UDP, ICMP and IP, but also has an built-in support for HTTP, FTP, TLS and SMB. A system administrator can able to create its own rule to detect a match within an HTTP stream. This is going to become different Malware detection and control.

Fast IP Matching

The engine will certainly take rules that are IP matches based on the RBN and compromised IP lists at Emerging Threats and keep them into a specific fast matching preprocessor.

Read Also : Install LMD – Linux Malware Detect in Linux

Step :1 Installing Suricata in RHEL, CentOS and Fedora

You must use the Fedora’s EPEL repository to install some needed packages for i386 and x86_64 systems.

  1. Enable Fedora’s EPEL repository

Before you can compile and build Suricata for your system, install the following dependency packages that are required for further installation. The process may take a while to complete, depending on the internet speed.

# yum -y install libpcap libpcap-devel libnet libnet-devel pcre \
pcre-devel gcc gcc-c++ automake autoconf libtool make libyaml \
libyaml-devel zlib zlib-devel libcap-ng libcap-ng-devel magic magic-devel file file-devel
IPS Support

Next, build Suricata with IPS support. For this, we to need “libnfnetlink” and “libnetfilter_queue” packages, but these pre-built packages not available in the EPEL or CentOS Base repositories. So, we need to download and install rpms from the Emerging Threats CentOS repository.

For 32-Bit
# rpm -Uvh \ \ \
For 64-Bit
# rpm -Uvh \ \ \
Download Suricata

Download latest Suricata source files and build it using the following commands.

# cd /tmp
# wget
# tar -xvzf suricata-1.4.4.tar.gz
# cd suricata-1.4.4

Now we use Suricata Auto Setup feature to automatically create all necessary directories, configuration files and latest rulesets.

# ./configure && make && make install-conf
# ./configure && make && make install-rules
# ./configure && make && make install-full

Step 2: Installing Suricata in Debian and Ubuntu

Before, beginning installation, you must have the following pre-requisites packages installed on the system to proceed further. Make sure you must be root user to run the following command. This installation process may take some time, depending on the current speed of your internet.

# apt-get -y install libpcre3 libpcre3-dbg libpcre3-dev \
build-essential autoconf automake libtool libpcap-dev libnet1-dev \
libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev \
pkg-config magic file libhtp-dev
IPS Support

By default, works as an IDS. If you want to add IDS support, install some needed packages as follows.

# apt-get -y install libnetfilter-queue-dev libnetfilter-queue1 libnfnetlink-dev libnfnetlink0
Download Suricata

Download latest Suricata tar-ball and build it using the following commands.

# cd /tmp
# wget
# tar -xvzf suricata-1.4.4.tar.gz
# cd suricata-1.4.4

Use Suricata Auto Setup option to create all needed directories, configuration files and rulesets automatically as shown below.

# ./configure && make && make install-conf
# ./configure && make && make install-rules
# ./configure && make && make install-full

Step 3: Suricata Basic Setup

After downloading and installing Suricata, now its time to proceed to Basic Setup. Create following directorates.

# mkdir /var/log/suricata
# mkdir /etc/suricata

The next part is to copy configuration files such as “classification.config“, “reference.config” and “suricata.yaml” from the base build installation directory.

# cd /tmp/suricata-1.4.4
# cp classification.config /etc/suricata
# cp reference.config /etc/suricata
# cp suricata.yaml /etc/suricata

Finally, start the “Suricata Engine” first time and specify the interface device name of your preference. Instead of eth0, you can include the network card of your preference.

# suricata -c /etc/suricata/suricata.yaml -i eth0

23/7/2013 -- 12:22:45 -  - This is Suricata version 1.4.4 RELEASE
23/7/2013 -- 12:22:45 -  - CPUs/cores online: 2
23/7/2013 -- 12:22:45 -  - Found an MTU of 1500 for 'eth0'
23/7/2013 -- 12:22:45 -  - allocated 2097152 bytes of memory for the defrag hash... 65536 buckets of size 32
23/7/2013 -- 12:22:45 -  - preallocated 65535 defrag trackers of size 104
23/7/2013 -- 12:22:45 -  - defrag memory usage: 8912792 bytes, maximum: 33554432
23/7/2013 -- 12:22:45 -  - AutoFP mode using default "Active Packets" flow load balancer
23/7/2013 -- 12:22:45 -  - preallocated 1024 packets. Total memory 3170304
23/7/2013 -- 12:22:45 -  - allocated 131072 bytes of memory for the host hash... 4096 buckets of size 32
23/7/2013 -- 12:22:45 -  - preallocated 1000 hosts of size 76
23/7/2013 -- 12:22:45 -  - host memory usage: 207072 bytes, maximum: 16777216
23/7/2013 -- 12:22:45 -  - allocated 2097152 bytes of memory for the flow hash... 65536 buckets of size 32
23/7/2013 -- 12:22:45 -  - preallocated 10000 flows of size 176
23/7/2013 -- 12:22:45 -  - flow memory usage: 3857152 bytes, maximum: 33554432
23/7/2013 -- 12:22:45 -  - IP reputation disabled
23/7/2013 -- 12:22:45 -  - using magic-file /usr/share/file/magic

After several minutes later, check the engine is correctly working and receives and inspects traffic.

# cd /usr/local/var/log/suricata/
# ls -l

-rw-r--r-- 1 root root  25331 Jul 23 12:27 fast.log
drwxr-xr-x 2 root root   4096 Jul 23 11:34 files
-rw-r--r-- 1 root root  12345 Jul 23 11:37 http.log
-rw-r--r-- 1 root root 650978 Jul 23 12:27 stats.log
-rw-r--r-- 1 root root  22853 Jul 23 11:53 unified2.alert.1374557837
-rw-r--r-- 1 root root   2691 Jul 23 12:09 unified2.alert.1374559711
-rw-r--r-- 1 root root   2143 Jul 23 12:13 unified2.alert.1374559939
-rw-r--r-- 1 root root   6262 Jul 23 12:27 unified2.alert.1374560613

Watch “stats.log” file and make sure the displayed information is up-dated in real time.

# tail -f stats.log

tcp.reassembly_memuse     | Detect                    | 0
tcp.reassembly_gap        | Detect                    | 0
detect.alert              | Detect                    | 27
flow_mgr.closed_pruned    | FlowManagerThread         | 3
flow_mgr.new_pruned       | FlowManagerThread         | 277
flow_mgr.est_pruned       | FlowManagerThread         | 0
flow.memuse               | FlowManagerThread         | 3870000
flow.spare                | FlowManagerThread         | 10000
flow.emerg_mode_entered   | FlowManagerThread         | 0
flow.emerg_mode_over      | FlowManagerThread         | 0

Reference Links

Suricata Homepage
Suricata User Guide

If you liked this article, then do subscribe to email alerts for Linux tutorials. If you have any questions or doubts? do ask for help in the comments section.

If You Appreciate What We Do Here On TecMint, You Should Consider:

TecMint is the fastest growing and most trusted community site for any kind of Linux Articles, Guides and Books on the web. Millions of people visit TecMint! to search or browse the thousands of published articles available FREELY to all.

If you like what you are reading, please consider buying us a coffee ( or 2 ) as a token of appreciation.

Support Us

We are thankful for your never ending support.

11 thoughts on “Suricata 1.4.4 Released – A Network Intrusion Detection, Prevention and Security Monitoring System”

  1. How close are the instructions for building on OEL or Oracle RAC DB appliance? I’m running into an issue where the install seizes during make or I get this error:

  2. Hi there

    can you shed some light on suricata rules update, Below are the following doubts

    1. i wantto configure VRT rules with suricata
    2. when ever i download the rules , do i need to update the suricata.yaml file with the rule name


    • @Rishi,
      I think yes, you should update the suricata.yaml file after every change you make..never tried this, but you should try and update us..

  3. How to get rid of this issue.

    22/9/2014 — 10:57:49 – – [ERRCODE: SC_ERR_OPENING_RULE_FILE(41)] – opening rule file /etc/suricata/rules/dns-events.rules: No such file or directory.
    22/9/2014 — 10:57:56 – – [ERRCODE: SC_ERR_NOT_SUPPORTED(225)] – Eve-log support not compiled in. Reconfigure/recompile with libjansson and its development files installed to add eve-log support.
    22/9/2014 — 10:57:56 – – [ERRCODE: SC_ERR_PCAP_CREATE(21)] – Using Pcap capture with GRO or LRO activated can lead to capture problems.

    • ERRCODE 41 copy dns-events.rules from the extracted suricata source to /etc/suricata/rules/
      cp -r ~/suricata-version/rules/dns-events.rules /etc/suricata/rules/

      ERRCODE 225 compile libjansson from source before you install suricata:
      compile libjansson from source:
      tar xzvf jansson-2.7.tar.gz
      cd jansson-2.7
      make check
      sudo make install

      ERRCODE 21 to fix GRO & LRO warnings:
      sudo ethtool -K bond1 gro off
      sudo ethtool -K bond1 lro off

  4. hi
    The suricata run cmd gives undefined symbol:

    – what is missing please?:

    [email protected]:/home/stevee# suricata -c /etc/suricata/suricata.yaml -i eth0

    5/4/2014 — 13:18:16 – – This is Suricata version 1.4.4 RELEASE
    5/4/2014 — 13:18:16 – – CPUs/cores online: 2
    suricata: symbol lookup error: suricata: undefined symbol: htp_config_set_query_case_insensitive

  5. Hi Dude,

    You mentioned about email alerts but there is no configuration given. can you please tell me how to configure alerts.


    • I’ve checked dude, links are working correctly, can you download manually using wget command and then install it.


Got something to say? Join the discussion.

Have a question or suggestion? Please leave a comment to start the discussion. Please keep in mind that all comments are moderated and your email address will NOT be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.