How To Install Suricata on Debian 12 (Bookworm)

  • Blog
  • How To Install Suricata on Debian 12 (Bookworm)

Welcome to today’s guide on how to install and configure Suricata on Debian 12 (Bookworm). Suricata is a free to use and open source network threat detection engine. It is designed to be fast & robust, secure, usable and efficient. Its development has matured enough for adoption in any network infrastructure. Suricata is capable of real time intrusion detection (IDS), inline intrusion prevention (IPS), network security monitoring (NSM) and offline pcap processing.

Suricata uses extensive rules and signature language to inspect network traffic. Additionally, Lua scripting language can be used for the detection of complex threats. YAML and JSON are the supported input and output formats. This ensures there is a deep integration with tools like existing Splunk, SIEMs, Logstash/Elasticsearch, Kibana, and other database become effortless.

Step 1: Update Debian System

Let’s begin our installation by updating the system and upgrading all packages.

sudo apt update -y && sudo apt upgrade -y

A reboot is always recommended whenever a Linux system is upgraded:

sudo reboot

Step 2: Install Dependency packages

We’ll install Suricata on Debian 12 from the source distribution files which gives the most control over the Suricata installation. Before installation we need to install a number of dependency packages using the commands below.

sudo apt update -y
sudo apt -y install wget curl make libpcre3 libpcre3-dbg libpcre3-dev build-essential autoconf automake libtool libpcap-dev libnet1-dev libyaml-0-2 libyaml-dev zlib1g zlib1g-dev libmagic-dev libcap-ng-dev libjansson-dev pkg-config cargo libnetfilter-queue-dev libcap-ng0 libnss3-dev libgeoip-dev liblua5.1-0-dev libhiredis-dev libevent-dev libpcre2-dev python3-yaml

Install extra tools for iptables/nftables IPS integration:

sudo apt install -y libnetfilter-queue-dev libnetfilter-queue1 libnetfilter-log-dev libnetfilter-log1 libnfnetlink-dev libnfnetlink0

Setup Rust support:

sudo apt remove --purge rustc -y
curl -sSf https://sh.rustup.rs | sh
. "$HOME/.cargo/env"

Step 3: Download and build Suricata on Debian 12

Download the latest release of Suricata source code:

export SUR_VERSION=7.0.9
wget https://www.openinfosecfoundation.org/download/suricata-$SUR_VERSION.tar.gz

Extract the file downloaded:

tar xvf suricata-$SUR_VERSION.tar.gz

Navigate to the folder created from file extraction:

cd suricata-$SUR_VERSION/

Build Suricata with IPS capabilities:

./configure --enable-nfqueue --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-rust
make

Run the following commands to install Suricata on Debian 12:

sudo make install

Install initial configuration files to /etc/suricata/:

sudo make install-conf

To make sure the existing list with libraries will be updated with the new library, enter:

sudo ldconfig

Install the tool for updating your Suricata rules:

sudo apt install python3-pip
sudo pip install --upgrade suricata-update

Update Suricata rules:

sudo suricata-update

Step 4: Configure Suricata on Debian 12

Suricata main configuration file is located in /etc/suricata/suricata.yaml.

Check the available interface cards to identify which one you would like Suricata to use.

$ ifconfig

Create a Suricata systemd unit file.

Instead of eth0, you can enter the interface card of your preference.

$ sudo vim /etc/systemd/system/suricata.service
[Unit]
Description=Suricata Intrusion Detection Service
After=syslog.target network-online.target

[Service]
ExecStartPre=/bin/rm -f /var/run/suricata.pid
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml -i eth0 --pidfile /var/run/suricata.pid $OPTIONS
ExecReload=/bin/kill -USR2 $MAINPID

[Install]
WantedBy=multi-user.target

Reload systemd unit files:

sudo systemctl daemon-reload

Start and enable Suricata service:

sudo systemctl start suricata

Confirm service status:

$ sudo systemctl status suricata
● suricata.service - Suricata Intrusion Detection Service
     Loaded: loaded (/etc/systemd/system/suricata.service; disabled; preset: enabled)
     Active: active (running) since Thu 2025-03-20 16:54:28 EAT; 8s ago
    Process: 23999 ExecStartPre=/bin/rm -f /var/run/suricata.pid (code=exited, status=0/SUCCESS)
   Main PID: 24000 (Suricata-Main)
      Tasks: 8 (limit: 7032)
     Memory: 919.3M
        CPU: 5.035s
     CGroup: /system.slice/suricata.service
             └─24000 /usr/bin/suricata -c /etc/suricata/suricata.yaml -i enp1s0 --pidfile /var/run/suricata.pid

Mar 20 16:54:28 debian systemd[1]: Starting suricata.service - Suricata Intrusion Detection Service...
Mar 20 16:54:28 debian systemd[1]: Started suricata.service - Suricata Intrusion Detection Service.
Mar 20 16:54:28 debian suricata[24000]: i: suricata: This is Suricata version 7.0.9 RELEASE running in SYSTEM mode
Mar 20 16:54:33 debian suricata[24000]: W: af-packet: enp1s0: AF_PACKET tpacket-v3 is recommended for non-inline operation
Mar 20 16:54:33 debian suricata[24000]: i: threads: Threads created -> W: 2 FM: 1 FR: 1   Engine started.

Now that you have Suricata installed and running on Debian 10 (Buster), visit the project documentation page to read more on advanced configurations and usage.

More guides:

Your IT Journey Starts Here!

Ready to level up your IT skills? Our new eLearning platform is coming soon to help you master the latest technologies.

  • Learn at your own pace
  • Access expert-led premium content
  • Gain in-demand IT certification tips and practice questions
  • Master essential skills: Linux, Scripting and Automation, Kubernetes, Cloud, IaC, GitOps, DevOps, Cybersecurity, and more.

Be the first to know when we launch! Join our waitlist now.

Join Waiting List
Twitter Facebook Linkedin Whatsapp Reddit

Join our Linux and open source community. Subscribe to our newsletter for tips, tricks, and collaboration opportunities!

Recent Post

Categories

Leave a Comment

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.

Related Post

Install MongoDB Compass on Ubuntu 24.04 | Debian 12

This tutorial will show you how to install and use MongoDB Compass on Ubuntu 24.04 | Debian 12 in a […]

  • NO COMMENTS
  • March 25, 2025
How To Secure Jira With Let’s Encrypt SSL Certificate

We looked at how to install Jira on Rocky Linux Server in our previous tutorial. In this article, We’ll learn […]

  • NO COMMENTS
  • March 25, 2025
How To Install Jira on Rocky Linux 9 Server

Atlassian created Jira, a bug tracking and agile project management application. Jira has a number of solutions and deployment choices […]

  • NO COMMENTS
  • March 25, 2025

You can connect with CloudSpinx using the following channels

Hosting Services  
Consultancy Services
Development Services
Networking Services
  • Structured Cabling
  • Firewall solutions
  • Smart Home Solutions
  • Internet filtering
  • Surveillance
  • Communication
Storage & Backup
  • NAS / SAN Storage
  • Software-defined storage (SDS)
  • OS / Apps Backups
  • CCTV Backups
  • Data Recovery
Office Services
Business Applications
  • ERP
  • CRM
  • POS
  • Project Management
  • Communication
  • Communication & Collaboration
  • Accounting & Finance
  • Asset Management
  • E-commerce Platforms
  • Business intelligence
Latest Articles
Newsletter
Follow Us
X-twitter Linkedin Facebook-f Github
Contact US
© Copyright 2025 CloudSpinx Limited
Download CloudSpinx Profile!

Cancellation Policy

Refund Policy

TOS

Let's Connect

Unleash the full potential of your business with CloudSpinx. Our expert solutions specialists are standing by to answer your questions and tailor a plan that perfectly aligns with your unique needs.
You will get a response from our solutions specialist within 12 hours
We understand emergencies can be stressful. For immediate assistance, chat with us now

Contact CloudSpinx today!

Download CloudSpinx Profile

Discover the full spectrum of our expertise and services by downloading our detailed Company Profile. Simply enter your first name, last name, and email address.