I’m afraid I’ve got some basic question I can’t wrap my head around, on the subject of $HOME_NET and general traffic flow through Suricata. Hoping you can shed some light on the matter, for a newcomer
I’ve got Suricata running as a daemon on a Linux machine (5.0.3), sitting between edge FW and application proxies.
Suppose we’ve got setup as presented in the picture.
I’m mostly concerned with monitoring incoming traffic - let’s assume Srv01-03 are just web servers, i.e. there’ll be significantly more remotely originated traffic going into the environment, than local requests going out.
- If I configure Suricata to listen on eth0 on server IDS01, then the only IP addresses this interface will ever see are 172.16.16.1 and 172.16.16.2. In that case, HOME_NET = 172.16.16.2/32, right?
- If I configure Suricata to listen on eth1 on server IDS01, then the only IP addresses this interface will ever see are 192.168.1.1 and 192.168.1.2. In that case, HOME_NET = 192.168.1.2/32, right?
- If I want to monitor both eth1 and eth2 on IDS01 and those networks “trust”, each other, I could set HOME_NET = 192.168.1.2/32,192.168.2.2/32
- If I want to monitor both eth1 and eth0 on IDS01 but these networks don’t trust each other, i.e. traffic from 192.168.2.0/24 into 192.168.1.0/24 should be treated as external / suspicious and vice-versa, what to put as HOME_NET?
- If I wanted to monitor eth0, eth1 and eth2 on IDS01, what would be the best practices / tools to assemble traffic flows between the interfaces, for monitoring / troubleshooting purposes?
- Would it even make sense to monitor eth0 in that case or would that just result in duplication of alerts?
- Are the obvious flaws in this setup, on top of the fact, that the Suricata sees just traffic between 2 IP addresses, instead of real target hosts?