How to Monitor Network Traffic from Multiple Systems Using Suricata

Help
1

Hello Suricata Community,

I need guidance on setting up Suricata to monitor network traffic from multiple systems efficiently. My questions are:

  1. Do I need to install Suricata on each system, or is there a way to capture all network traffic from a central point?
  2. What is the best approach to achieve this? Should I use a network TAP, port mirroring (SPAN), or a dedicated Suricata server?
  3. I am using EveBox for alert monitoring—is it possible to centralize all logs into one dashboard instead of managing them individually?
2

Hi Mahek,

  1. setting up a central Suricata instance is the usual approach - or multiple - depending on the size of the network.
  2. Yes, you generally want to use either tap or span - depends on what works for you. Whether you need to use a dedicated Suricata server depends on the capacity of your current servers but, yes, generally a separate server is recommended - but not needed if you have only a few Gbps of traffic - assume 400 Mbps of throughput per 1 cpu core.
  3. You can connect your Suricata instances to EveBox the same way as if you would be connecting just one Suricata.
3

Our network is setup as following

  • two data centers (one in NewYork, one in SFO)
  • have around 50 machines total (40 in NewYork, 10 in SFO)
  • all our machines are exposed to internet for various purposes. Firewall controls which ports are open for traffic in/out
  • we have setup 1 dedicated server for Suricata. Evebox is installed on the same server.

Questions

  • In Evebox, in the Src/Des column, we always see IP address of our dedicated Suricata server. We never see any IP address of the 50 machines that we have. Does it mean that Suricata is monitoring network flow between external IPs and the dedicated Suricata server only? How to make sure that all the traffic of all the 50 machines is also monitored?

  • Evebox shows us high severity entries. What is the recommended way to block malicious IPs identified in Evebox?

  • Is Suricata preventing these network requests? Or is it just reporting what it is able to see and match with the signatures? If it just reports what it see then what is the recommended way to act on it?

4

It sounds like you have Suricata monitoring the management port of the server on which Suricata is installed.

I think a review of the fundamentals might be helpful?

Check out chapter one of my 2013 book. It’s online for free from No Starch.

You’ll find explanations of how this works and a simple diagram that should help.

5

Hi, we’re using Suricata in a cloud-based setup and have a few questions regarding IP monitoring, centralized alerts, and real-time blocking:

  1. We have configured address-groups in suricata.yaml as follows:
    address-groups:
    HOME_NET: “[34.237.199.130/32,43.137.19.230/32,37.27.99.175/32,36.217.89.140/32]”

However, Suricata is only generating alerts for the first IP address(34.237.199.130) and not for the others.

:small_blue_diamond: Why is Suricata not generating alerts for the remaining IPs?
:small_blue_diamond: Is there any limitation or specific way to define multiple IPs in HOME_NET?
:small_blue_diamond: How can we ensure that Suricata monitors and alerts on traffic for all the IPs listed in HOME_NET?

  1. We have 50 virtual machines in the cloud, each running Suricata. Since we cannot use a SPAN port or network tap in the cloud, we are looking for a way to view all alerts from these 50 Suricata instances in a single dashboard.

:small_blue_diamond: What are the best practices to forward alerts from multiple Suricata instances to a centralized system?
:small_blue_diamond: Can we use a SIEM (like ELK, Splunk, or Wazuh) or a dedicated Suricata management tool?
:small_blue_diamond: Is there a recommended way to configure EveBox or another tool to collect alerts from all 50 PCs in one place?

  1. We want real-time notifications when attacks occur on our 50 cloud-based Suricata instances so that we can quickly block malicious IPs. Ideally, we need an alerting system that provides messages like:
    “This IP is sending malicious packets to your systems”

:small_blue_diamond: How can we set up real-time notifications for Suricata alerts?(Email, Slack, Telegram, Syslog, or another method?)
:small_blue_diamond: Can Suricata integrate with firewall automation to block malicious IPs immediately?
:small_blue_diamond: What tools or scripts can help us automate the blocking of malicious IPs based on Suricata alerts?

6

For your first question: if you run Tcpdump on a system where you expect to see

[34.237.199.130/32,43.137.19.230/32,37.27.99.175/32,36.217.89.140/32]

do you see that traffic?

7

Yes, I ran tcpdump, and the network traffic is being captured. For troubleshooting, If I need to monitor the second IP address (43.137.19.230), what should I do?

8

I don’t follow. Are you seeing all of the IP addresses that you care about

[34.237.199.130/32,43.137.19.230/32,37.27.99.175/32,36.217.89.140/32]

on the interface that Suricata is watching? If you set a filter with Tcpdump for those IP addresses, do you see all of them?

9

You can also check for flow event types to see if you actually captured traffic for those IPs.