How to Install Suricata IDS on Rocky Linux 10

Table of Contents

Step 1- Install Suricata on Rocky Linux 10
Step 2 - Configure Suricata
Step 3 - Check Suricata Logs
Step 4 - Test Suricata IDS
Conclusion

Suricata is a free, open-source, independent threat detection engine developed by the Open Information Security Foundation. It is a flexible, high-performance intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring (NSM) tool that can detect and block attacks against your network. The IDS analyses network traffic and detects known attacks by matching signatures, while the IPS has the ability to stop a packet from being delivered depending on the attack detected.

In this post, we will show you how to install Suricata IDS on Rocky Linux 10.

Step 1- Install Suricata on Rocky Linux 10

By default, Suricata is not included in the Rocky Linux default repo, so you will need to install it from the EPEL repo.

Enable EPEL and the necessary DNF plugins.

dnf install -y epel-release dnf-plugins-core

The Open Information Security Foundation (OISF) maintains Suricata packages for Enterprise Linux families. You can enable a COPR repository using the following command.

dnf copr enable @oisf/suricata-7.0

Now, install Suricata.

dnf install -y suricata

Once Suricata is installed, you can proceed to the next step.

Step 2 – Configure Suricata

Suricata uses several rules to alert to matching threats. All rules are located inside the /etc/suricata/rules/ directory. You can see them with the following command:

ls /usr/share/suricata/rules//

You will get the following output:

app-layer-events.rules  dnp3-events.rules  ftp-events.rules    ipsec-events.rules     mqtt-events.rules  quic-events.rules  smtp-events.rules    tls-events.rules
decoder-events.rules    dns-events.rules   http2-events.rules  kerberos-events.rules  nfs-events.rules   rfb-events.rules   ssh-events.rules
dhcp-events.rules       files.rules        http-events.rules   modbus-events.rules    ntp-events.rules   smb-events.rules   stream-events.rules

You can update all rules using the following command:

suricata-update

You will get the following output:

15/10/2025 -- 06:00:50 -  -- Using data-directory /var/lib/suricata.
15/10/2025 -- 06:00:50 -  -- Using Suricata configuration /etc/suricata/suricata.yaml
15/10/2025 -- 06:00:50 -  -- Using /usr/share/suricata/rules for Suricata provided rules.
15/10/2025 -- 06:00:50 -  -- Found Suricata version 7.0.12 at /usr/sbin/suricata.
15/10/2025 -- 06:00:50 -  -- Loading /etc/suricata/suricata.yaml
15/10/2025 -- 06:00:50 -  -- Disabling rules for protocol pgsql
15/10/2025 -- 06:00:50 -  -- Disabling rules for protocol modbus
15/10/2025 -- 06:00:50 -  -- Disabling rules for protocol dnp3
15/10/2025 -- 06:00:50 -  -- Disabling rules for protocol enip
15/10/2025 -- 06:00:50 -  -- No sources configured, will use Emerging Threats Open
15/10/2025 -- 06:00:54 -  -- Testing with suricata -T.
15/10/2025 -- 06:01:02 -  -- Done.

Next, you will need to configure Suricata to define the network interface and IP address for the network interface.

First, find the network interface and IP address of your server with the following command:

ip --brief add

You can see that the interface is eth0 and IP address is 209.23.8.4.

lo               UNKNOWN        127.0.0.1/8 ::1/128 
ens3             UP             69.28.84.193/23 
ens4             UP

Now, edit the Suricata configuration file:

nano /etc/suricata/suricata.yaml

Define your IP address and network interface as shown below:

HOME_NET: "[209.23.8.4]"
EXTERNAL_NET: "!$HOME_NET"


af-packet:
  - interface: ens3

default-rule-path: /var/lib/suricata/rules
rule-files:
  - suricata.rules

Save and close the file, then disable the packet offloading in Suricata using the following command:

ethtool -K ens3 gro off lro off

Next, you will need to edit the /etc/sysconfig/suricata file and define the network interface on which Suricata is listening.

nano /etc/sysconfig/suricata

Change the following line:

OPTIONS="-i ens3 --user suricata "

Save and close the file when you are finished. Then, start and enable the Suricata service with the following command:

systemctl enable --now suricata

Next, check the status of Suricata using the following command:

systemctl status suricata

You will get the following output:

● suricata.service - Suricata Intrusion Detection Service
     Loaded: loaded (/usr/lib/systemd/system/suricata.service; enabled; preset: disabled)
     Active: active (running) since Wed 2025-10-15 06:05:38 EDT; 9s ago
 Invocation: eecc8ccb1c894d79a608c651b54f34dd
       Docs: man:suricata(1)
    Process: 56169 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
   Main PID: 56170 (Suricata-Main)
      Tasks: 7 (limit: 12342)
     Memory: 985.2M (peak: 1G)
        CPU: 6.570s
     CGroup: /system.slice/suricata.service
             └─56170 /sbin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i ens3 --user suricata

Step 3 – Check Suricata Logs

Suricata provides various log files to check the Suricata process, alerts, and stats.

To check the Suricata process log, run the following command:

tail /var/log/suricata/suricata.log

You should see the following output:

[56170 - Suricata-Main] 2025-10-15 06:05:45 Warning: af-packet: ens3: AF_PACKET tpacket-v3 is recommended for non-inline operation
[56170 - Suricata-Main] 2025-10-15 06:05:45 Info: runmodes: ens3: creating 1 thread
[56170 - Suricata-Main] 2025-10-15 06:05:45 Info: unix-manager: unix socket '/var/run/suricata/suricata-command.socket'
[56172 - W#01-ens3] 2025-10-15 06:05:45 Info: ioctl: ens3: MTU 1500
[56170 - Suricata-Main] 2025-10-15 06:05:45 Notice: threads: Threads created -> W: 1 FM: 1 FR: 1   Engine started.

To check the Suricata alert log, run the following command:

tail -f /var/log/suricata/fast.log

You should see the following output:

10/15/2025-06:07:10.843166  [**] [1:2403317:103810] ET CINS Active Threat Intelligence Poor Reputation IP group 18 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 20.163.15.43:41370 -> 69.28.84.193:8443
10/15/2025-06:07:22.116273  [**] [1:2402000:7527] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 204.76.203.231:43697 -> 69.28.84.193:654
10/15/2025-06:07:27.654114  [**] [1:2402000:7527] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 87.120.191.13:54246 -> 69.28.84.193:8728

To check the Suricata stats log, run the following command:

tail -f /var/log/suricata/stats.log

You should see the following output:

------------------------------------------------------------------------------------
Counter                                       | TM Name                   | Value
------------------------------------------------------------------------------------
capture.kernel_packets                        | Total                     | 651
decoder.pkts                                  | Total                     | 651
decoder.bytes                                 | Total                     | 51754
decoder.ipv4                                  | Total                     | 398
decoder.ipv6                                  | Total                     | 251
decoder.ethernet                              | Total                     | 651

Step 4 – Test Suricata IDS

At this point, Suricata IDS is installed and configured. Now, it’s time to test whether the Suricata IDS is working or not. To test it, log in to another system and install the Nmap utility to perform a DDoS attack.

dnf install nmap

After installing Nmap, perform a DDoS attack with the following command:

nping --tcp -p 22 --flags SYN --rate 1000 --count 10000 69.28.84.193

Now, go to the Suricata system and check the alert log using the following command:

tail -f /var/log/suricata/fast.log

You should see the following output:

10/15/2025-06:12:51.924577  [**] [1:2500016:7410] ET COMPROMISED Known Compromised or Hostile Host Traffic group 9 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 36.140.33.10:36929 -> 69.28.84.193:22
10/15/2025-06:13:24.491969  [**] [1:2402000:7527] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 147.185.132.10:55831 -> 69.28.84.193:22
10/15/2025-06:13:24.860635  [**] [1:2400031:4495] ET DROP Spamhaus DROP Listed Traffic Inbound group 32 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 178.22.24.60:52601 -> 69.28.84.193:44329
10/15/2025-06:13:25.798491  [**] [1:2402000:7527] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 64.62.156.61:36426 -> 69.28.84.193:3000
10/15/2025-06:13:31.067000  [**] [1:2402000:7527] ET DROP Dshield Block Listed Source group 1 [**] [Classification: Misc Attack] [Priority: 2] {TCP} 167.94.146.43:25436 -> 69.28.84.193:5426

The above output confirms that Suricata is working well.

Conclusion

In this guide, we explained how to install Suricata IDS on Rocky Linux 10. We also configured Suricata IDS and tested it with a DDoS attack. You can now implement the Suricata IDS on the production server to secure it from the DDoS attack. Try it on dedicated servers from Atlantic.Net!

Facebook

Start Your Project with High Performance Dedicated Hosting Today!

Your subscription could not be saved. Please try again.

Your subscription has been successful.

Newsletter

Subscribe to our newsletter and stay updated.

Email Address

Provide your email address to subscribe. For e.g [email protected]

Your subscription could not be saved. Please try again.

Your subscription has been successful.

View White Papers

How to Install Suricata IDS on Rocky Linux 10

Step 1- Install Suricata on Rocky Linux 10

Step 2 – Configure Suricata

Step 3 – Check Suricata Logs

Step 4 – Test Suricata IDS

Conclusion

Start Your Project with High Performance Dedicated Hosting Today!

Award-Winning Hosting Solutions & Services