Hi I wanted to try out Suricata in my enviroment. I created a Virtual Machine and installed it on my work computer. I configured it to monitor a couple of networks but the problem is that it doesn’t detect any traffic that isn’t going through this particular VM. What do I need to do to make it see everything that is happening in my network (as it was connected to my infrastructure). Is it possible? I’m so new to this and clueless atm.
How is this VM supposed to see traffic from other systems?
The best practice is to have a sensor with at least two interfaces.
One interface is used for sensor management.
The other interface connects to a network tap, or a switch SPAN port, or other device to send traffic.
How do you have your system deployed?
Check out the free first chapter of my Network Security Monitoring book. It has info and diagrams on deployment.
So, I have my PC that is in the network and I got a VM with suricata on it. As I understand I won’t be able to see anything on my network with this VM?
You need to forward the traffic from the network to the capture port, there is no magic to see the traffic since it doesn’t pass your VM.
You can see if your VM software provides a mirroring or if you have a switch with a mirror port you can set this to forward the traffic.
Another option would be to sit in between in IPS mode but that is even more complex and not recommended for beginners.
It sounds like you will only see unicast traffic to and from the VM, and broadcast traffic on the LAN.
This video might help.
Where Do I Put My Sensor?
