Hello everyone,
A week ago, I installed Suricata 6.0.10, which was supposed to send me alerts if it detected anything malicious in the traffic passing through MikroTik.
I configured MikroTik to route all traffic through mangle rules (TZSP) to the appropriate address where Surica is running (eth1: 10.4.4.180). After a few days, I noticed there were no results, so I created some simple rules just to detect if traffic appeared on certain ports, like port 25. I generated such traffic through the router using Telnet, and I used tcpdump to capture that traffic into a pcap file. Occasionally, a line for a port appears in the alert file, but there should be many more.
I tried manually running Suricata with commands like:
- trafr -s | suricata -c /etc/suricata/suricata.yaml -v -i eth1
However, nothing was generated in the alert file. When I opened the file with Wireshark, it was correct, and I could see exactly where Suricata should have triggered an alert.
When I checked eve.json I only have things that are related to 10.4.4.x network. But like I said with Wireshark in that pcap there are other networks, and it seems that Suricata is no analyzing it.
Also command: trafr -s | tcpdump -r - -n
Give me all correct output.
In Suricata yaml file i configure HOME_NET: “[10.0.0.0/8]”, but still nothing. What I need to do to force Suricata to analize all networks that comes from 10.4.4.180 streaming.
Thank you!