Learn how to install, configure, and test Suricata IDS on Ubuntu 24.04 with practical commands, sample rules, and best practices. Improve network security.
Introduction:
Protecting our network is no longer optional — it’s essential. An Intrusion Detection System (IDS) like Suricata helps us spot threats in real-time, analyze network traffic, and improve security posture. In this guide, we will walk through installing and configuring Suricata on Ubuntu 24.04, using practical commands and best practices.
Suricata is an open-source, high-performance IDS/IPS and network security monitoring (NSM) engine. It can inspect live traffic, log network flows, and detect attacks using community-driven rule sets.
Prerequisites
Before we begin, ensure we have the following:
- An Ubuntu 24.04 on dedicated server or KVM VPS.
- Basic Linux Command Line Knowledge.
Install & Configure Suricata IDS on Ubuntu 24.04
Step 1: Update and Prepare the System
Before we install anything, let’s make sure our server is updated. A clean and up-to-date environment avoids common dependency issues.
sudo apt update && sudo apt upgrade -y
sudo apt install software-properties-common -y
Step 2: Install Suricata
Ubuntu 24.04 includes Suricata in its official repositories, but for the latest stable features, we use the Open Information Security Foundation (OISF) PPA:
sudo add-apt-repository ppa:oisf/suricata-stable -y
sudo apt update
sudo apt install suricata -y
To confirm the installation:
suricata --build-info
This displays build details, confirming Suricata is correctly installed.
Step 3: Configure Suricata Network Interface
We need to tell Suricata which network interface to monitor. First, check available interfaces:
ip a
Let’s say our interface is eth0. Edit the Suricata configuration file:
sudo nano /etc/suricata/suricata.yaml
Look for the af-packet or interface section and update it:
af-packet:
- interface: eth0
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
Replace eth0 with your network name.
Save and exit the file.
Step 4: Download and Enable IDS Rules
Suricata uses rule sets to detect malicious patterns. We recommend enabling the Emerging Threats Open (ETOpen) rules, which are free and community-maintained:
sudo suricata-update
To manually enable or disable rules, check:
sudo nano /etc/suricata/suricata.yaml
Under rule-files, make sure emerging.rules is included.
Restart Suricata to load the new rules:
sudo systemctl restart suricata
Step 5: Run Suricata in IDS Mode
We can run Suricata as a service to monitor traffic continuously:
sudo systemctl enable suricata
sudo systemctl start suricata
To check status:
sudo systemctl status suricata
Step 6: Verify Logs and Alerts
Suricata logs alerts to /var/log/suricata/. The most useful file for security monitoring is fast.log:
tail -f /var/log/suricata/fast.log
Whenever suspicious activity is detected, it will appear here.
Step 7: Optional – Enable IPS Mode (Inline Blocking)
If we want Suricata to actively block malicious traffic, enable IPS mode using NFQUEUE:
Edit /etc/suricata/suricata.yaml
nano /etc/suricata/suricata.yaml
and set:
af-packet:
- interface: eth0
copy-mode: ips
cluster-type: cluster_flow
Replace eth0 with your network name.
Save and exit the file.
Add a firewall rule to redirect traffic to NFQUEUE:
sudo iptables -I FORWARD -j NFQUEUE
sudo iptables -I INPUT -j NFQUEUE
Restart Suricata:
sudo systemctl restart suricata
Now Suricata will block traffic that matches IPS rules.
Step 8: Tune and Optimize
Every network is different. We can fine-tune Suricata by:
- Disabling noisy rules that generate false positives.
- Enabling performance mode by increasing threads: in suricata.yaml.
- Automating updates with a cron job:
echo "0 3 * * * root suricata-update && systemctl restart suricata" | sudo tee /etc/cron.d/suricata-update
This keeps rules up to date and ensures better detection coverage.
Step 9: Add and Test Sample Suricata Rules
We can create our own rules to detect simple attack patterns. This helps verify that Suricata is running properly.
Create a Custom Rule File
sudo mkdir /etc/suricata/rules
sudo nano /etc/suricata/rules/local.rules
Add these sample rules:
# Detect SSH brute-force attempts (multiple login failures)
alert tcp any any -> any 22 (msg:"Possible SSH Brute-Force"; flow:to_server,established; detection_filter:track by_src, count 5, seconds 60; classtype:attempted-admin; sid:1000001; rev:1;)
# Detect ICMP ping floods (too many pings in short time)
alert icmp any any -> any any (msg:"ICMP Ping Flood Detected"; itype:8; detection_filter:track by_src, count 20, seconds 10; classtype:attempted-dos; sid:1000002; rev:1;)
# Detect access to suspicious .exe files over HTTP
alert http any any -> any any (msg:"Suspicious EXE Download"; content:".exe"; nocase; http_uri; classtype:trojan-activity; sid:1000003; rev:1;)
Save and exit.
Enable the Local Rule File
Open the Suricata configuration file:
sudo nano /etc/suricata/suricata.yaml
Under the rule-files: section, add local.rules:
rule-files:
- suricata.rules
- local.rules
Restart Suricata to apply:
sudo systemctl restart suricata
Testing the Rules
SSH brute force test: Try multiple failed SSH login attempts from another machine:
ssh wronguser@<server-ip>
Repeat 5–6 times within a minute.
Ping flood test: From another host, send rapid pings:
ping -f <server-ip>
Suspicious download test: Request a file with .exe in the URL:
curl http://<server-ip>/malicious.exe
Check Suricata logs for alerts:
tail -f /var/log/suricata/fast.log
You should see entries like:
09/26/2025-08:30:55.123456 [**] [1:1000001:1] Possible SSH Brute-Force [**] ...
Adding these rules turns the tutorial into a hands-on experience and shows readers how Suricata catches real threats. It also encourages them to experiment with more complex detections and build security awareness.
Final Thoughts
By following these steps, we now have a fully functional Suricata IDS on Ubuntu 24.04. This setup provides us with real-time network visibility and helps us detect potential intrusions early.
Suricata’s power lies in its flexibility — we can expand it with custom rules, log integration with tools like ELK/Graylog, and even transform it into a full IPS. Keeping rules updated and monitoring alerts regularly is key to maintaining strong network security.
