Optimal Suricata configuration for monitoring switch

Hi Team,
I am very new to Suricata. I am currently trying to monitor a switch with suricata. As of now I am using default configurations in suricata.yaml file. I only added monitoring interface name in the ‘af-packet:’ section. I am only seeing eve.json as the output file. Is there more configurations I can Can do to create more alerts. someone help me what all things I should enable or disable to effectively monitor all those switch traffic


Hey – welcome to the community.

Sounds like you have some things running well. In order for Suricata to generate alerts, it needs rules. There are many rulesets available for Suricata, I suggest using suricata-update to help you manage them.

The configuration possibilities depend on what you’re hoping to get from Suricata … if your switch traffic is reflected in the af-packet configuration section, then the primary configuration is done. Depending on traffic load (in Gbps) received, you may have to tune things a bit for memory limits and CPU core usage.

I am monitoring a core switch , but I am only getting very less alerts. 3 alerts in two days. It might be because there is no threat, but I am sceptic. I am monitoring an interface without an IP address, will that be a problem? I have two interfaces one have Ip assigned, I added it’s subnet in the HOME_NET list. I monitor the other interface without an IP

Check the stats – there are entries with "event_type":"stats" in the eve.json output file (which is in the logging directory you chose). Here, you’ll find packet and byte counters in addition to other metrics that track things like ethertype and such.

Do those values make sense for your environment?

What version of Suricata are you using?

What ruleset did you choose?

I followed the following link to install Suricata:

Suricata version is suricata-6.0

I got the ruleset by the command:
wget https://rules.emergingthreats.net/open/suricata-6.0.3/emerging.rules.tar.gz



We recommend upgrading to the latest Suricata release – 6.0.13 – due to the addition of numerous security and bug fixes that have been added since 6.0.0

Did you check the stats log for your Suricata deployment to see if the values make sense?