I´m only getting alerts if my $home_net and $external_net on suricata.yml are set to “any”. But i want to set alerts for the internal networks inside my organization.
This is my simple architecture.
Can you help me?
Hi Nuno,
Have you updated/customized the $HOME_NET and $EXTERNAL_NET variables in your suricata.yaml to be specific to your network? Specifically you would need to know what IP ranges you expect to see across the mirrored ports and which IPs you consider internal/$HOME_NET
and which you consider external/$EXTERNAL_NET.
For some explanation on how the variables are used, just in case some of it is unclear: https://suricata.readthedocs.io/en/suricata-6.0.0/configuration/suricata-yaml.html#rule-vars
1 Like