Learn how to install, configure, and test Suricata IDS on AlmaLinux 10 with practical commands, sample rules, and best practices. Improve network security.
Introduction:
Protecting our network is no longer optional — it’s essential. An Intrusion Detection System (IDS) like Suricata helps us spot threats in real-time, analyze network traffic, and improve security posture. In this guide, we will walk through installing and configuring Suricata on AlmaLinux 10, using practical commands and best practices.
Suricata is an open-source, high-performance IDS/IPS and network security monitoring (NSM) engine. It can inspect live traffic, log network flows, and detect attacks using community-driven rule sets.
Prerequisites
Before we begin, ensure we have the following:
- An AlmaLinux 10 on dedicated server or KVM VPS.
- Basic Linux Command Line Knowledge.
Install & Configure Suricata IDS on AlmaLinux 10
Step 1: Prepare Our AlmaLinux 10 System
Before we install anything, we update our server to ensure the latest security patches are applied.
sudo dnf update -y
sudo dnf install epel-release -y
sudo dnf install jq curl vim -y
Suricata depends on libraries and tools that work best when the system is up to date.
Step 2: Install Suricata
Suricata is available from the official OISF (Open Information Security Foundation) repository. We enable the repository and install the package:
sudo dnf install -y dnf-plugins-core
sudo dnf copr enable @oisf/suricata-8.0
sudo dnf install suricata -y
This gives us the latest stable release directly maintained by the Suricata team.
Step 3: Verify Installation
Let’s confirm Suricata is installed correctly:
suricata --build-info
This command prints the build information and confirms we are using the right version.
Step 4: Enable and Start the Suricata Service
Suricata runs as a systemd service on AlmaLinux. We enable it at boot and start it:
sudo systemctl enable suricata
sudo systemctl start suricata
When we see active (running) in the output, we know Suricata is live.
Step 5: Configure Network Interface
By default, Suricata monitors eth0. If our system uses a different interface, we edit the configuration file:
sudo vim /etc/suricata/suricata.yaml
Find the section:
af-packet:
- interface: eth0
Replace eth0 with the correct interface name, which we can check using:
ip addr
Step 6: Update and Download Rules
Rules are what make Suricata useful. We fetch the latest Emerging Threats ruleset:
sudo suricata-update
sudo systemctl restart suricata
This ensures our IDS can detect modern threats, not just legacy signatures.
Step 7: Add and Test Sample Suricata Rules
We can create our own rules to detect simple attack patterns. This helps verify that Suricata is running properly.
Create a Custom Rule File
sudo mkdir /etc/suricata/rules
sudo nano /etc/suricata/rules/local.rules
Add these sample rules:
# Detect SSH brute-force attempts (multiple login failures)
alert tcp any any -> any 22 (msg:"Possible SSH Brute-Force"; flow:to_server,established; detection_filter:track by_src, count 5, seconds 60; classtype:attempted-admin; sid:1000001; rev:1;)
# Detect ICMP ping floods (too many pings in short time)
alert icmp any any -> any any (msg:"ICMP Ping Flood Detected"; itype:8; detection_filter:track by_src, count 20, seconds 10; classtype:attempted-dos; sid:1000002; rev:1;)
# Detect access to suspicious .exe files over HTTP
alert http any any -> any any (msg:"Suspicious EXE Download"; content:".exe"; nocase; http_uri; classtype:trojan-activity; sid:1000003; rev:1;)
Save and exit.
Enable the Local Rule File
Open the Suricata configuration file:
sudo nano /etc/suricata/suricata.yaml
Under the rule-files: section, add local.rules:
rule-files:
- suricata.rules
- local.rules
Restart Suricata to apply:
sudo systemctl restart suricata
Testing the Rules
SSH brute force test: Try multiple failed SSH login attempts from another machine:
ssh wronguser@<server-ip>
Repeat 5–6 times within a minute.
Ping flood test: From another host, send rapid pings:
ping -f <server-ip>
Suspicious download test: Request a file with .exe in the URL:
curl http://<server-ip>/malicious.exe
Check Suricata logs for alerts:
tail -f /var/log/suricata/fast.log
You should see entries like:
09/26/2025-08:30:55.123456 [**] [1:1000001:1] Possible SSH Brute-Force [**] ...
Adding these rules turns the tutorial into a hands-on experience and shows readers how Suricata catches real threats. It also encourages them to experiment with more complex detections and build security awareness.
Step 8: Tune Logging and Performance
Suricata generates multiple log files: fast.log, eve.json, and others. We can choose JSON output for better integration with SIEM tools by editing /etc/suricata/suricata.yaml and enabling eve-log.
For performance, we match the number of Suricata threads to CPU cores:
grep -c ^processor /proc/cpuinfo
Then adjust threads under the af-packet section accordingly.
Step 9: Enable Automatic Rule Updates
Keeping rules fresh is critical. We add a cron job to update them daily:
sudo crontab -e
Add:
0 3 * * * /usr/bin/suricata-update && systemctl restart suricata
This runs every night at 3 AM and keeps detection current.
Step 10: Monitor and Maintain
We regularly check logs and system resource usage:
sudo journalctl -u suricata -f
sudo tail -f /var/log/suricata/eve.json
This ensures our IDS stays healthy and continues protecting the network.
Final Thoughts
Installing Suricata on AlmaLinux 10 gives our infrastructure a serious security upgrade. With regular rule updates, proper tuning, and log monitoring, we gain real-time visibility into malicious activity on our network.
