suricata install

debian/ubuntu

check the version you would get from the main repo

apt search suricata

versus the version you would get from the official repo

apt install software-properties-common
# dirmngr
add-apt-repository ppa:oisf/suricata-stable

ENTER

now check the version that you will get

apt search suricata

and proceed (use official repo)

apt install suricata suricata-update

alpine linux

apk add suricata
# suricata-openrc

from source (possibly as IPS)

see suricata-source

enabling community rules

enable all free-of-charge community rules

suricata-update update-sources

# strip out colors - https://stackoverflow.com/a/18000433
foss_sources=`suricata-update list-sources | grep -E 'Name|License' | cut -f2 -d: | paste -d " "  - - | sort -V | grep -v Commercial | awk '{print $1}' | sed -r "s/\x1B\[([0-9]{1,3}(;[0-9]{1,2};?)?)?[mGK]//g"`

echo $foss_sources

for foss_source in $foss_sources; do
    echo -n enable source $foss_source ...
        suricata-update -q enable-source $foss_source >/dev/null && echo done
done; unset foss_source

suricata-update list-enabled-sources | sort -V

apply

    suricata-update -q

    ls -alhF /var/lib/suricata/rules/
    #ls -alhF /usr/local/share/suricata/rules/

ready to go

suricata -V
suricata --build-info | grep -i geoip

harden a little bit

    # 755 for /etc/suricata/ is fine, no passwords there

    chmod 700 /var/log/suricata/

additional notes

get rid of a whole ruleset source

    suricata-update disable-source pawpatrules

troubleshooting

deal with errors while checking with suricata -T

built-in rulesets

    cd /usr/share/suricata/rules/
    #cd /usr/local/share/suricata/rules/

grep ... *.rules

source rulesets

cd /var/lib/suricata/update/cache/

for f in *.tar.gz; do
    dest=extract_${f$\.tar\.gz}
    echo extracting $dest/
    mkdir -p $dest/
    tar xvzf $f -C $dest/
    echo
done; unset f

grep ... */*.rules
grep ... */*/*.rules

resources

https://nsrc.org/workshops/2015/pacnog17-ws/attachments/ex-installing-suricata.htm

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Debian_Installation

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Installation

https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation_-_Personal_Package_Archives_(PPA)

http://ppa.launchpad.net/oisf/suricata-stable/ubuntu/pool/main/s/suricata/

https://docs.suricata.io/en/latest/install.html#debian

https://docs.suricata.io/en/latest/install.html#ubuntu-from-personal-package-archives-ppa

https://computingforgeeks.com/how-to-install-suricata-ids-ips-on-debian/