1 Add the Suricata PPA

# apt-get install software-properties-common
# add-apt-repository ppa:oisf/suricata-stable
# apt-get update

2 Install Suricata

# apt-get install suricata

3 Add a 'suricata' user

# useradd -r -s /usr/sbin/nologin suricata

4 Edit Suricata default mode and configure Suricata run as service user

# editor /etc/default/suricata
# Default config for Suricata

# set to yes to start the server in the init.d script
RUN=yes

# set to user that will run suricata in the init.d script (used for dropping privileges only)
RUN_AS_USER=suricata

# Configuration file to load
SURCONF=/etc/suricata/suricata.yaml

# Listen mode: pcap, nfqueue or af-packet
# depending on this value, only one of the two following options
# will be used (af-packet uses neither).
# Please note that IPS mode is only available when using nfqueue
LISTENMODE=pcap

# Interface to listen on (for pcap mode)
IFACE=eth0

# Queue number to listen on (for nfqueue mode)
NFQUEUE=0

# Load Google TCMALLOC if libtcmalloc-minimal0 is installed
# This _might_ give you very very small performance gain....
TCMALLOC="YES"

# Pid file
PIDFILE=/var/run/suricata.pid

5 Ensure that Suricata log directory is owned by 'suricata' user

# chown -R suricata:suricata /var/log/suricata

6 Start Suricata

# service suricata start

7 Verify that Suricata is running as the 'suricata' user

# ps aux | grep suricata
suricata 28296  107 59.9 366140 304160 ?       Ssl  22:47   0:05 /usr/bin/suricata -c /etc/suricata/suricata.yaml --pidfile /var/run/suricata.pid -i eth0 -D -v --user=suricata