3. Installation

Before Suricata can be used it has to be installed. Suricata can be installed on various distributions using binary packages: Binary packages.

For people familiar with compiling their own software, the Source method is recommended.

Advanced users can check the advanced guides, see Advanced Installation.

3.1. Source

Installing from the source distribution files gives the most control over the Suricata installation.

The Suricata source distribution files should be verified before building the source, see Verifying Suricata Source Distribution Files.

Basic steps using the Suricata 8.0.3 release as example:

tar xzvf suricata-8.0.3.tar.gz
cd suricata-8.0.3
./configure
make
make install

This will install Suricata into /usr/local/bin/, use the default configuration in /usr/local/etc/suricata/ and will output to /usr/local/var/log/suricata

3.1.1. Common configure options

--disable-gccmarch-native

Do not optimize the binary for the hardware it is built on. Add this flag if the binary is meant to be portable or if Suricata is to be used in a VM.

--prefix=/usr/

Installs the Suricata binary into /usr/bin/. Default /usr/local/

--sysconfdir=/etc

Installs the Suricata configuration files into /etc/suricata/. Default /usr/local/etc/

--localstatedir=/var

Setups Suricata for logging into /var/log/suricata/. Default /usr/local/var/log/suricata

--enable-geoip

Enables GeoIP support for detection.

--enable-dpdk

Enables DPDK packet capture method.

3.1.2. Dependencies and compilation

3.1.2.1. Ubuntu/Debian

Note

The following instructions require sudo to be installed.

Minimal dependencies for Ubuntu/Debian

sudo apt -y install autoconf automake build-essential cargo \
    libjansson-dev libpcap-dev libpcre2-dev libtool \
    libyaml-dev make pkg-config rustc zlib1g-dev

3.1.2.2. CentOS, AlmaLinux, RockyLinux, Fedora, etc

Note

The following instructions require sudo to be installed.

To install all minimal dependencies, it is required to enable extra package repository in most distros. You can enable it possibly by one of the following ways:

sudo dnf -y update
sudo dnf -y install epel-release dnf-plugins-core
# AlmaLinux 8 / RockyLinux 8
sudo dnf config-manager --set-enabled powertools
# AlmaLinux 9 / RockyLinux 9
sudo dnf config-manager --set-enable crb
# Oracle Linux 8
sudo dnf config-manager --set-enable ol8_codeready_builder
# Oracle Linux 9
sudo dnf config-manager --set-enable ol9_codeready_builder

Minimal dependencies for RPM-based distributions

sudo dnf install -y dnf-plugins-core epel-release
sudo dnf install -y cargo gcc jansson-devel libpcap-devel \
    libyaml-devel make pcre2-devel zlib-devel

3.1.2.3. Windows

For building and installing from source on Windows, see Building on Windows.

3.1.2.4. Compilation

Follow these steps from your Suricata directory:

./configure # you may want to add additional parameters here
# ./configure --help to get all available parameters
# j is for adding concurrency to make; the number indicates how much
# concurrency so choose a number that is suitable for your build system
make -j8
make install # to install your Suricata compiled binary
# make install-full - installs configuration and rulesets as well

3.1.2.5. Rust support

Rust packages can be found in package managers but some distributions don't provide Rust or provide outdated Rust packages. In case of insufficient version you can install Rust directly from the Rust project itself:

1) Install Rust https://www.rust-lang.org/en-US/install.html
2) Install cbindgen - if the cbindgen is not found in the repository
   or the cbindgen version is lower than required, it can be
   alternatively installed as: cargo install --force cbindgen
3) Make sure the cargo path is within your PATH environment
   echo 'export PATH="~/.cargo/bin:${PATH}"' >> ~/.bashrc
   export PATH="~/.cargo/bin:${PATH}"

3.1.3. Auto-Setup

You can also use the available auto-setup features of Suricata:

./configure && make && sudo make install-conf

make install-conf would do the regular "make install" and then it would automatically create/setup all the necessary directories and suricata.yaml for you.

./configure && make && sudo make install-rules

make install-rules would do the regular "make install" and then it would automatically download and set up the latest ruleset from Emerging Threats available for Suricata.

./configure && make && sudo make install-full

make install-full would combine everything mentioned above (install-conf and install-rules) and will present you with a ready-to-run (configured and set-up) Suricata.

3.2. Binary packages

• 3.2.1. Ubuntu Package Installation
• 3.2.2. Debian Package Installation
• 3.2.3. RPM Installation
• 3.2.4. Other Package Installations

Suricata is available on various distributions as binary packages. These offer a convenient way to install and manage Suricata without compiling from source.

For Ubuntu systems:

See Ubuntu Package Installation for detailed instructions on installing from PPA repositories.

For Debian systems:

See Debian Package Installation for detailed instructions on installing from official repositories and backports.

For RPM-based distributions (CentOS, AlmaLinux, RockyLinux, Fedora, etc):

See RPM Installation for detailed instructions on installing from COPR repositories.

For other distributions:

See Other Package Installations for installation instructions for Arch Linux and other distributions.

3.3. Advanced Installation

If you are using Ubuntu, you can follow Installation from GIT.

For other various installation guides for installing from GIT and for other operating systems, please check (bear in mind that those may be somewhat outdated): https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Installation