# Install details from: https://suricata.readthedocs.io/en/suricata-6.0.0/install.html#install-binary-packages
add-apt-repository ppa:oisf/suricata-stable
echo "deb http://http.debian.net/debian buster-backports main" > \
/etc/apt/sources.list.d/backports.list
apt-get install suricata -t buster-backports
suricata-update list-sources #List sources of the rules
suricata-update enable-source et/open #Add et/open rulesets
## To use the dowloaded rules update the following line in /etc/suricata/suricata.yaml
default-rule-path: /var/lib/suricata/rules
## Add rules in /etc/suricata/rules/suricata.rules
suricata -c /etc/suricata/suricata.yaml -i eth0
suricatasc -c ruleset-reload-nonblocking
## or set the follogin in /etc/suricata/suricata.yaml
# Validate suricata config
suricata -T -c /etc/suricata/suricata.yaml -v
# Configure suricata as IPs
## Config dropto generate alerts
## Search for the following lines in /etc/suricata/suricata.yaml and remove comments:
## Forward all packages to the queue where suricata can act as IPS
iptables -I INPUT -j NFQUEUE
iptables -I OUTPUT -j NFQUEUE
## Start suricata in IPS mode
suricata -c /etc/suricata/suricata.yaml -q 0
### or modify the service config file as:
systemctl edit suricata.service
ExecStart=/usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid -q 0 -vvv