Hello, I am new ,
I am using suricata in a separate server.
I mean :
on VM A (ubuntu) : there is an interface named enp0s8
on VM B (debian) : there is suricata ,
== So I wanna capture all packets on enp0s8
How can I do that? How can I connect suricata to that port??
NB : there is already a mirror on enp0s8 but I dont know hot to connect suricata on it cause it is in another server
Thank you very much
Let’s see if it serves as a clue
-Remote: Windows 7/10.
-Locar: Ubuntu 18.04
-SSH into VPN
email@example.com -p2223 ‘C:/tmp/WinDump.exe -i1 -s0 -U -w - icmp and not port 2223’ | sed ‘1d’ | stdbuf -oL tcpdump -nn -r - -w - | stdbuf -oL suricata -knone -c /etc/suricata/suricata_no_dataset.yaml -l ./ -r /dev/stdin -l ./win7_su_log
[Captura de pantalla de 2020-03-27 12-30-08]
Thank you very much for out response.
But I need to supervise the port remotely every time, not accessing it by ssh , i.e I need continue connection between suricata and this port , how can I do this?
What type of virtualisation is it?
It would make more sense to forward the traffic from that mirror to an interface at the VM B
I use virtual machine inside Virtualbox ,
I already created a mirror on vm A openvswitch, and I need suricata to watch this mirror port
The mirror is among the port of the OpenVSwitch
i.e enp0s8 is the mirror port
Why don’t you mirror the traffic you want to see to an interface that is attached to VM B?
thats’ s what I want to do , but I dont know how to do thatt
The same way you do forward the traffic to the interface on VM A?
I might misunderstand your setup, maybe you can explain it in a bit more detail or draw a small schema to better understand the actual setup and traffic flow.
How can I achieve this, what are the command line I should put in suricata??
So VM A has enp0s8 connected to VM B via an interface?
Is enp0s8 also connected to something else and how is the traffic flow?
I wouldn’t start looking into how Suricata should run before we figured out what your setup actual looks like and what you want to achieve.
Actually, enp0s8 is not yet connected to suricata, but that’s what I want to do.
I want to know : what are the manipulations to do so that suricata can monitor a remote port on another machine
there is a switch on VMA, and the enp0s8 port is a mirror port located on this switch, (copies of packets transiting inside the VM A switch are available at the enp0s8 level) so I want to continuously scan this port (enp0s8).
So openvswitch is running inside the VM A?
How did you exactly setup VM A and VM B in VirtualBox?
But I guess that would be better solved by VirualBox experts.
This is what I am trying to do,
VM B contain Suricata.
How can I do it?
What I would to, is to run tcpdump on that NIC and ideally look into the traffic if it’s the correct one and complete. If not it’s something within the forwarding setup.