We have implemented source and target EC2 instance in pipeline in AWS and installed Suricata in target instance to monitor the source
When I trying to ping source instance from new system, that new system ip address and port details are not showing in Suricata logs
@Jeff_Lucovsky - Request your help on that. Please let me know if any other details required from my end
We are using latest version of Suricata 7.0.8
Is the Suricata (target instance) seeing the ping (icmp) traffic?
If these are linux instances, running tcpdump -i <interface> on the target instance will show the traffic if the network topology is setup properly.
@Jeff_Lucovsky - if we ping from source instance to target instance, and then running tcpdump -i interface on the target, then it is showing the icmp pings from source to target instance
If we try to ping source instance from command prompt, it is not capturing that traffic. we have configured the traffic mirror session from source to target, the source logs alone is not getting captured
Thanks for the update.
What packet capture method are you using?
Can you post your suricata.yaml config file and the command line used to start the suricata executable?
@Jeff_Lucovsky - Please find our update below
af and pcap are the packet capture methods we are using
Command line used for Suricata is suricata -c /etc/suricata/suricata.yaml -i eth0
Hi @Jeff_Lucovsky - could you please provide an update on the issue? Thanks
Can you post suricata.yaml?
@Jeff_Lucovsky - yaml file includes 18k lines. we don’t have access to download and share the yaml file. But we followed below command to install Suricata as mentioned in below url. We didn’t make any update to yaml file after installation
sudo -s
amazon-linux-extras install -y epel
yum install -y suricata
mkdir /var/lib/suricata/rules
echo ‘alert udp any any → any any (msg:“UDP traffic detected”; sid:200001; rev:1;)’ > /var/lib/suricata/rules/suricata.rules
suricata -c /etc/suricata/suricata.yaml -k none -i eth0 -D
@Jeff_Lucovsky - please help on the solution whenever possible
Please clarify the logs that you are expecting the ICMP traffic to appear in.
Suricata creates log output – not all of which are for alerts.
If you’re expecting alerts and not seeing them, please share the rule(s) and a pcap.
If you’re expecting flow records for the ICMP traffic and not seeing them, please confirm that flow logging is enabled.
we created 2 EC2 instances. 1 is source instance and 2 is target instance. we created traffic mirroring session between these two instances. Now we installed Suricata in the target instance. we tried pinging target instance ip address from command prompt (opened command prompt and given the command “ping target_ipaddress”. we can able to see those logs in fast.log. In the log it is hsowing the command prompt ip as the source ip, target instance ip as the destination ip. when we tried the same for checking source instance logs, ie., when we pinged source ip address from command prompt, those logs are not capturing in the fast.log, eventhough we configured the traffic mirror session correctly. we want assistance for what are the configuration changes that has to be done to capture the source instance logs also