Possible to mirror traffic to Suricata?


I have an Ubuntu virtual machine running my web app. I want to use Suricata passively to monitor the traffic to my app.

Because of performance reasons, I installed Suricata on a separate Ubuntu vm. Is there a way to mirror the traffic from my app server to the Suricata server? Or do I have to route traffic through Suricata?

Thanks for your help :slight_smile:

Are the VMs on the same machine? Why not just allocate a bit more resources to the VM running the web-app and run Suricata inside it? Another option would be to run Suricata on the host machine.

Otherwise you’ll have to look at mirroring traffic into the other VM, I’m not sure how one would go about that myself though.

Thank you for your reply!

I rent cloud servers, so the VMs (probably) not on the same machine. They are, however, on the same (virtual) network.

Apparently mirroring traffic is common in the hardware world (SPAN or network tap), but I don’t know how to simulate this behaviour on strictly virtual machines.

In virtual environments this will usual require the support of your virtual machine provider. The Linux tool tc can mirror traffic over a gre tunnel. Not sure how that would work in production, but its one idea.

The classic way of doing this, prior to the likes of AWS offering mirroring is to route your traffic if you can. At least in AWS you could have a virtual private network. Your web-app would be on this private network, than you’d have another Linux box with the public IP, port forwarding to the actual web host, and this is where you would run Suricata. Of course, you some support from your VM provider to do that as well, or get creative with reverse proxy servers and such.