Posted on Leave a comment

Installing Suricata 4.* on Debian Stretch

Kept getting version conflicts trying to install Suricata 4 IDS on Debian Stretch. Looks like Suricata expects to be installed on Buster which is sort of weird. Here’s how to get past the errors (e.g. libc6 requirement not met).

For Ubuntu, the OISF maintains a PPA suricata-stable that always contains the latest stable release.

sudo add-apt-repository ppa:oisf/suricata-stable

Since Debian Stretch is out of date:

echo "deb http://http.debian.net/debian stretch-backports main" > /etc/apt/sources.list.d/backports.list

Do your apt update:

apt-get update

Finally, use the stretch backport for the install:

apt-get install suricata -t stretch-backports

Don’t forget to take advantage of the new suricata-update for rules updates.

To install suricata-update

sudo apt install python-pip python-yaml
sudo pip install --pre --upgrade suricata-update

To download the Emerging Threats Open ruleset, it is enough to simply run:

sudo suricata-update

This will download the ruleset into /var/lib/suricata/rules/

Suricata’s configuration will have to be updated to have a rules config like this:

default-rule-path: /var/lib/suricata/rules
rule-files:
- suricata.rules

Now (re)start Suricata.