Optimal Suricata configuration for monitoring switch

Nepolean · July 14, 2023, 3:53am

Hi Team,
I am very new to Suricata. I am currently trying to monitor a switch with suricata. As of now I am using default configurations in suricata.yaml file. I only added monitoring interface name in the ‘af-packet:’ section. I am only seeing eve.json as the output file. Is there more configurations I can Can do to create more alerts. someone help me what all things I should enable or disable to effectively monitor all those switch traffic

Thanks
Nepolean

Jeff_Lucovsky · July 14, 2023, 2:17pm

Hey – welcome to the community.

Sounds like you have some things running well. In order for Suricata to generate alerts, it needs rules. There are many rulesets available for Suricata, I suggest using suricata-update to help you manage them.

The configuration possibilities depend on what you’re hoping to get from Suricata … if your switch traffic is reflected in the af-packet configuration section, then the primary configuration is done. Depending on traffic load (in Gbps) received, you may have to tune things a bit for memory limits and CPU core usage.

Nepolean · July 26, 2023, 5:08am

I am monitoring a core switch , but I am only getting very less alerts. 3 alerts in two days. It might be because there is no threat, but I am sceptic. I am monitoring an interface without an IP address, will that be a problem? I have two interfaces one have Ip assigned, I added it’s subnet in the HOME_NET list. I monitor the other interface without an IP

Jeff_Lucovsky · July 26, 2023, 12:16pm

Check the stats – there are entries with "event_type":"stats" in the eve.json output file (which is in the logging directory you chose). Here, you’ll find packet and byte counters in addition to other metrics that track things like ethertype and such.

Do those values make sense for your environment?

What version of Suricata are you using?

What ruleset did you choose?

Nepolean · July 28, 2023, 3:51am

I followed the following link to install Suricata:

Suricata version is suricata-6.0

I got the ruleset by the command:
wget https://rules.emergingthreats.net/open/suricata-6.0.3/emerging.rules.tar.gz

Thanks

Jeff_Lucovsky · July 28, 2023, 11:58am

Thanks.

We recommend upgrading to the latest Suricata release – 6.0.13 – due to the addition of numerous security and bug fixes that have been added since 6.0.0

Did you check the stats log for your Suricata deployment to see if the values make sense?

Topic		Replies	Views
Not receiving any alerts on Suricata Rules rules , suricata	4	1043	August 31, 2023
Suricata Network monitoring Help suricata	1	588	October 13, 2022
Suricata 6.0.9 on Ubuntu 22.04 not getting traffic at all Help	11	998	December 24, 2022
Eve.json only shows "event_type":"flow" Help	7	1594	October 22, 2020
Can I use a Suricata IDS alert to trigger some python code? Help	6	1884	July 18, 2020

Optimal Suricata configuration for monitoring switch

Related topics