How to deploy suricata at Internet Link using a VM

Theoka81 · July 15, 2023, 5:22pm

Hello folks
I am new in this platform and trying to learn how to deploy Suricata to monitor network traffic as it comes and goes out through the Fortigate firewall?

May scenario is as follows.

Most of my servers are VMs running on Huawei Virtualization platform Machines, this also includes the system that I am going to deploy Suricata on, its also a VM.
I have most of my VM servers sitting on 2 different subnets. for Example lets say another group is on. 196.2.3.X and 172.2.3.x ranges
My fortigate firewall being on other range internally eg 10.141.0.2
All traffic or logs from Suricata would be sent to ELK stack using either elastic-agent or firebeat.

Where do I place my Suricata sensor and how can I configure the VM to capture traffic for all incoming and outgoing traffic in this scenario?

Please note also, should I get this correctly, I would like to expand Suricata to monitor traffic between endpoints and servers as well.
Your advice would be highly appreciated and would help a lot.

Andreas_Herz · July 31, 2023, 8:10pm

This depends mostly on your virtual environment. You would have to use the features of that to forward traffic from those VMs to the VM that runs Suricata.
This is not related to the subnets, ideally pure traffic mirroring on the virtual switch and forwarded to the VM and there you use an interface as capture interface.
Ideally Huawei provides documentation about traffic forwarding in the product.

Topic		Replies	Views
Possible to mirror traffic to Suricata? Help	3	462	October 16, 2023
Suricata in a virtual machine? Help	2	474	November 15, 2023
Forward firewall traffic Help	8	577	September 19, 2022
Architecture help Help ips , community , centos	2	1098	November 29, 2020
Suricata running in AWS Help	2	543	October 5, 2021

How to deploy suricata at Internet Link using a VM

Related Topics