Step‑by‑Step Guide to Installing Suricata and Understanding Its Working Modes

Suricata is a free, open‑source, high‑performance network threat detection engine capable of IDS, IPS, NSM, and offline pcap processing. It uses a powerful rule language and Lua scripting, and integrates easily with SIEMs, Splunk, Logstash/Elasticsearch, Kibana, and other tools via standard YAML and JSON formats.

Installation

2.1 Install dependencies

yum install -y git epel-release make autoconf gcc-c++ automake cmake libtool pcre-devel libyaml-devel jansson-devel libpcap-devel file-devel zlib-devel nss-devel libcap-ng-devel libnet-devel libnetfilter_queue-devel lua-devel lz4-devel xz-devel json-c-devel librdkafka-devel luajit-devel python-pip ragel

yum install -y rust cargo pcre2-devel

cargo install --force cbindgen

cp /root/.cargo/bin/cbindgen /usr/bin/

pip install pyyaml json-lines

2.2 Download source and compile

git clone https://github.com/OISF/suricata.git

cd suricata

git clone https://github.com/OISF/libhtp (libhtp is used for HTTP parsing)

./autogen.sh

Configure with desired flags:

FLAGS=-g ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-nfqueue --enable-luajit --enable-debug

Explanation: -g keeps debug symbols; --prefix sets install directory; --enable-nfqueue enables NFQUEUE support; --enable-luajit enables LuaJIT; --enable-debug turns on debug logging.

make && make install && make install-conf

After installation the executables are placed in /usr/bin (suricata, suricatactl, suricatasc, suricata-update). Configuration files reside in /etc/suricata (including classification.config, reference.config, suricata.yaml, threshold.config). Logs are written to /var/log/suricata and rule files to /var/lib/suricata/rules.

2.3 Run Suricata

suricata -c /etc/suricata/suricata.yaml -i enp0s3

Replace enp0s3 with the network interface you wish to monitor. The article uses Suricata version 7.0.

Suricata basic information

The guide then presents an analysis of Suricata’s working modes.

4.1 Single mode

Single mode supports only one network interface and a single work thread.

4.2 Work mode

Work mode creates a default number of work threads per NIC (or as configured). Each thread processes packets from its assigned NIC queue.

4.3 Autofp mode

Autofp mode is more complex and shares work threads among multiple functions.

4.4 Work thread processing flow

Packet processing in a work thread follows a slot‑based registration model. For the afpacket work mode, the function call sequence is:

TmThreadsSlotPktAcqLoop → ReceiveAFPLoop → AFPReadFromRing → TmThreadsSlotProcessPkt → TmThreadsSlotVarRun → SlotFunc (FlowWorker)

‘ReceiveAFPLoop’ handles the registered packet‑receiving slot, while ‘FlowWorker’ processes the flow work slot.

In multi‑NIC capture scenarios, the work mode is recommended for better performance and the ability to steer a five‑tuple to the same thread, which aids statistical analysis during attacks.

The article mentions future topics such as detailed protocol parsing (MySQL, POP3, HTTP, DNS), logging, rule matching, and performance optimizations.