How to Configure Suricata IDS/IPS on RHEL 7

How to Configure Suricata IDS/IPS on RHEL 7

Suricata is a high-performance, open-source network threat detection engine maintained by the Open Information Security Foundation (OISF). It can operate as an Intrusion Detection System (IDS), passively monitoring traffic and alerting on suspicious patterns, or as an Intrusion Prevention System (IPS), actively blocking malicious connections using the Linux NFQUEUE target. Unlike older signature-based tools, Suricata is multi-threaded, capable of processing network traffic at multi-gigabit speeds, and supports advanced features like file extraction, TLS certificate inspection, and protocol anomaly detection. This guide covers installing Suricata on RHEL 7, configuring the core settings, loading community rulesets, and running in both IDS and IPS modes.

Prerequisites

• RHEL 7 system with root or sudo privileges
• Active internet connection or local mirror with EPEL and OISF repositories
• A dedicated monitoring network interface, or sufficient permissions to put your interface in promiscuous mode
• At least 2 GB of RAM; 4 GB or more recommended for production environments
• Python 3.6 or later (for suricata-update)
• Basic understanding of network protocols and IP addressing

Step 1: Add the OISF Copr Yum Repository

The OISF provides official RPM packages for RHEL/CentOS through a Copr repository. This ensures you receive the latest stable Suricata release with proper RHEL 7 support. First, enable EPEL, then add the OISF repository:

# Enable EPEL repository
yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm

# Add the OISF Suricata repository
yum install -y yum-plugin-copr
yum copr enable @oisf/suricata-7.0 epel-7-x86_64

# Alternatively, create the repo file manually
cat > /etc/yum.repos.d/suricata.repo << 'EOF'
[suricata]
name=Suricata OISF repository
baseurl=https://copr-be.cloud.fedoraproject.org/results/%40oisf/suricata-7.0/epel-7-x86_64/
gpgcheck=1
gpgkey=https://copr-be.cloud.fedoraproject.org/results/%40oisf/suricata-7.0/pubkey.gpg
enabled=1
EOF

Step 2: Install Suricata

# Install Suricata and its utilities
yum install -y suricata

# Verify the installed version
suricata --build-info | head -5

# Check that suricata-update is available
suricata-update --version

The installation creates the following important paths:

• /etc/suricata/suricata.yaml — main configuration file
• /var/log/suricata/ — log directory (fast.log, eve.json, stats.log)
• /var/lib/suricata/rules/ — downloaded rulesets
• /usr/share/suricata/rules/ — built-in rules

Step 3: Configure suricata.yaml

The main configuration file /etc/suricata/suricata.yaml is large and well-commented. The critical settings to configure for initial deployment are HOME_NET, the capture interface, and the log directory. Open the file:

vi /etc/suricata/suricata.yaml

Locate and edit the HOME_NET variable to reflect your internal network ranges:

vars:
  address-groups:
    HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
    EXTERNAL_NET: "!$HOME_NET"
    HTTP_SERVERS: "$HOME_NET"
    SMTP_SERVERS: "$HOME_NET"
    SQL_SERVERS: "$HOME_NET"
    DNS_SERVERS: "$HOME_NET"
    TELNET_SERVERS: "$HOME_NET"
    AIM_SERVERS: "$EXTERNAL_NET"
    DC_SERVERS: "$HOME_NET"
    DNP3_SERVER: "$HOME_NET"
    DNP3_CLIENT: "$HOME_NET"
    MODBUS_CLIENT: "$HOME_NET"
    MODBUS_SERVER: "$HOME_NET"
    ENIP_CLIENT: "$HOME_NET"
    ENIP_SERVER: "$HOME_NET"

Configure the af-packet section to set the capture interface. Find the af-packet block and set your interface name (use ip link to find it):

af-packet:
  - interface: eth0
    # Number of receive threads
    threads: auto
    # Default clusterid. For each interface, a unique clusterid is needed.
    cluster-id: 99
    # Default clustering algorithm
    cluster-type: cluster_flow
    defrag: yes
    # To use in IPS or TAP mode, set tpacket-v3 and ring buffers
    use-mmap: yes
    tpacket-v3: yes
    ring-size: 2048
    block-size: 32768
    block-timeout: 10
    use-emergency-flush: yes
    buffer-size: 32768
    rollover: yes

Ensure the log directory and key log types are properly configured:

default-log-dir: /var/log/suricata/

outputs:
  # Fast (simple) alert log
  - fast:
      enabled: yes
      filename: fast.log
      append: yes

  # EVE JSON output - the recommended structured log format
  - eve-log:
      enabled: yes
      filetype: regular
      filename: eve.json
      types:
        - alert:
            payload: yes
            payload-printable: yes
            packet: yes
            metadata: yes
        - http:
            extended: yes
        - dns:
        - tls:
            extended: yes
        - files:
            force-magic: no
        - smtp:
        - flow

Step 4: Update Rules with suricata-update

Suricata uses signature-based detection rules. The suricata-update tool manages downloading and updating rulesets from multiple sources including Emerging Threats Open (free) and Proofpoint ET Pro (commercial):

# Update the default ruleset (Emerging Threats Open is enabled by default)
suricata-update

# List available free rule sources
suricata-update list-sources

# Enable additional free sources
suricata-update enable-source et/open
suricata-update enable-source oisf/trafficid

# Run update again to fetch all enabled sources
suricata-update

# Verify rules were downloaded
ls -lh /var/lib/suricata/rules/suricata.rules
wc -l /var/lib/suricata/rules/suricata.rules

Test the configuration file syntax before starting the service:

suricata -T -c /etc/suricata/suricata.yaml -v

This validates the YAML syntax and rule files without starting a capture. Fix any errors reported before proceeding.

Step 5: Run Suricata in IDS Mode

In IDS mode, Suricata passively monitors a copy of network traffic and generates alerts without blocking anything. This is the safest mode to start with when first deploying. Start the service:

systemctl start suricata
systemctl enable suricata
systemctl status suricata

Monitor the alert log in real time:

tail -f /var/log/suricata/fast.log

The fast.log format looks like:

05/17/2026-12:00:01.123456  [**] [1:2100498:7] GPL ATTACK_RESPONSE id check returned root [**] [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} 203.0.113.5:80 -> 192.168.1.50:54321

For structured JSON output, use jq to parse the EVE log:

yum install -y jq
tail -f /var/log/suricata/eve.json | jq 'select(.event_type=="alert")'

Step 6: Run Suricata in IPS Mode with NFQUEUE

In IPS mode, Suricata intercepts packets using the Linux kernel’s NFQUEUE target. Packets are sent to a queue where Suricata can either accept or drop them. This mode requires kernel module support and modified iptables rules.

# Stop the IDS mode instance first
systemctl stop suricata

# Load the nfqueue kernel module
modprobe nfnetlink_queue
echo "nfnetlink_queue" > /etc/modules-load.d/nfqueue.conf

# Add iptables rules to send traffic through NFQUEUE
# Replace eth0 with your interface
iptables -I INPUT -i eth0 -j NFQUEUE --queue-num 0 --queue-bypass
iptables -I OUTPUT -o eth0 -j NFQUEUE --queue-num 0 --queue-bypass
iptables -I FORWARD -j NFQUEUE --queue-num 0 --queue-bypass

# Save iptables rules
iptables-save > /etc/sysconfig/iptables

Edit the Suricata systemd service to run in NFQUEUE mode by creating an override:

mkdir -p /etc/systemd/system/suricata.service.d/
cat > /etc/systemd/system/suricata.service.d/ips.conf << 'EOF'
[Service]
ExecStart=
ExecStart=/usr/sbin/suricata -c /etc/suricata/suricata.yaml -q 0
EOF

systemctl daemon-reload
systemctl start suricata

For rules to actively block in IPS mode, the rule action must be drop instead of alert. You can configure this in suricata.yaml under the action-order section, or add a custom drop rule:

# Example custom drop rule in /etc/suricata/rules/local.rules
drop tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"Block suspicious UA"; content:"sqlmap"; http_user_agent; nocase; sid:9000001; rev:1;)

Step 7: Testing with the EICAR String

The EICAR test string is a standard way to verify that detection rules fire without using real malware. Suricata’s Emerging Threats rules include signatures for EICAR-like test patterns:

# From the monitored host, make a request that triggers an ET rule
# The curl command below fetches a known test URL pattern
curl -A "BlackSun" http://testmynids.org/uid/index.html

# Or test with a direct EICAR string in HTTP response
curl -s "http://testmynids.org/uid/index.html"

# Check for alerts
tail /var/log/suricata/fast.log

You can also write a simple custom rule to test your setup end-to-end:

# Add a test rule
echo 'alert icmp any any -> $HOME_NET any (msg:"ICMP Ping Detected"; itype:8; sid:9999999; rev:1;)' >> /etc/suricata/rules/local.rules

# Reload rules without restart
systemctl kill -s USR2 suricata

# Trigger it
ping -c 3 192.168.1.1

# Check the log
grep "ICMP Ping" /var/log/suricata/fast.log

Suricata is a powerful, production-grade IDS/IPS that significantly enhances the visibility and security posture of your RHEL 7 environment. Starting in IDS mode allows you to tune alert thresholds and suppress false positives before switching to active IPS blocking. Combine Suricata’s EVE JSON logs with a SIEM or log aggregation platform like Elasticsearch (ELK stack) for enterprise-grade threat hunting and incident response capabilities.