Architecture and Data aggregation

Hello Suricata community,

I want to run an IDS and I am quite new to those topics. After some research, Suricata seems to be very promising. I checked the documentation of Suricata for general understanding. Nevertheless I still have basic questions concerning this IDS and I hope that someone could help me a bit.

First of all:

  1. Can Surricata run in an n-tier approach, where several sensors in the network send the captured traffic to some kind of Master Server where the data from the sensors are aggregated and analyzed for anomalies? Because I think that checking for anomalies is more effective when analyzing the big picture.

  2. How does the anomaly detection work in Suricata? I found some free and publicly available datasets for IDSs. Do I train Suricata with datasets and deep learning methods? Or does the detection engine works without AI methods?

  3. Is it possible to use Suricata also as a cumulative log-server that collects log messages from different entities in the network? If yes: can the detection engine work upon the log messages that are sent to Suricata from those entities or can Suricata only check for anomalies on logs from Suricata sensors?

I would be thankful if someone could share some expertise on this :slight_smile:

Thank you!