Deploying Suricata to production is hard, so I’m building Impulse, a fully automated XDR platform that leverages Suricata in its EDR sensor. Impulse makes getting started with Suricata as simple as pasting a link on the gateway/VM that you want monitored.
In terms of architecture, it is organised around a self-hosted, manager-sensor model that provides traditional SIEM capabilities like centralized log storage, indexing and normalization, but also automated log-correlation and real-time threat detection via its open-source sensors.
Suricata alerts, flows, dns, file logs etc. are automatically converted to a common format and visualised in the web-based user interface. There is no manual configuration or dashboard building, you just specify the network interface it’s supposed to listen to; run ./install_manager.sh and you start getting the best out of Suricata!
Hopefully, this project will help the large number of people who want to use a high-quality network IDS but don’t know how to setup or configure it for optimal performance!
Do you have any Doc to read, how to set Suricata logs to impulse please
I just set up Impulse but I dont know how to view SUricata logs on impulse. please help me to config this ?
Best regards
This must be done prior to installation, so if you’ve already installed it, please uninstall and repeat.
Once it’s installed, go to “Instace” panel and you’ll see NIDS stats and the option to view alerts in the tab bar. If this is a local VM there will probably be no alerts because there is no traffic. To test it properly either deploy on internet-facing instance or generate traffic by attacking the VM with something like Nikto.
that’s mean Impulse doesn’t integration with Suricata right ?
and what if I want to monitor a lot of IP on my environment what should I do ?
Because when I tap on Integrations I just see AbuseIPDB and Virustotal.
May I ask what is light and heavy ? what different between light and heavy ?
Best regards.
Suricata is integrated by default, it’s built-into the “heavy” agent. You just need to specify
AGENT_TYPE=heavy
NIDS_ENABLED=true
in the .conf file of the manager and it will install and configure Suricata during the initial setup.
However, this is the simplest and easiest case where all network monitoring will be done from the manager instance.
The optimal way to do it is to create another VM and setup the “heavy” agent there. Set this other VM to promiscuous mode and it will monitor all traffic for all IPs on the network.
So basically the “light” EDR agent provides host intrusion detection & integrity monitoring (it’s a modern alternative to OSSEC), while “heavy” also does network monitoring. The main difference is in resource usage and use cases.
For example, in a small business network you will have 20 “light” - 1 on each workstations, and 1 “heavy” to monitor traffic for the whole network.
What if I have 3 VM: VM1 (Windows 10), VM2(Windows 11), VM3(Ubuntu 22.04)
VM1 IP = 10.10.15.15
VM2 IP = 192.168.4.5
VM3 IP = 192.168.15.4 (I installed Impulse-xdr on this server)
The question is how can I connect 3VM to monitor on impulse-xdr because I just test can only same range IP can monitor.
Like u said impulse have agent, so I need to install agent on all endpoint to monitor ?
how can I install Impulse-xdr on endpoint ?
Best regards
If you want host-based monitoring on each machine then you have to install the “light” EDR on each.
In terms of network IDS, the “heavy” agent is used just like you will typically use Suricata. One Suricata instance for the entire network.
If the VMs are on separate networks though, you can install a heavy EDR on each VM and monitor its traffic that way; this is only recommended for corner cases and when you want joint monitoring of separate networks.
In your case, if the 3 VMs are connected to the same network then VM3 should be able to observe all traffic provided that 1) “promiscuous mode” is enabled on VM3 (also check “bridged” if VirtualBox) and 2) the network router is set to allow devices to talk to each other.
So I need to install impulse-xdr on VM1 VM2 ? from this (Install the Manager | Impulse XDR) right ?
and set impulse-xdr conf to light on VM1 VM2 right ?
If you only want network monitoring then you just need to install Impulse Manager on VM3 and provide its interface in the config. What traffic it sees on that interface is a network design problem.
The “light” EDR is if you also want to get the HIDS features on the other two VMs but is not required for network monitoring.
Will be adding more info to the docs soon, here is the relevant part:
Once the manager is setup, you go to “Asset Management” and click the “enrol asset” button where you specify the configuration for the new “heavy” EDR (which has Suricata built-in).
It generates a tar archive and a link to pull the archive.
You copy the link and paste it on the VM that will be your “monitoring VM”. Auto-install begins.