We have created a test environment for suricata testing.
Where the environment has total 3 servers in which 1st server has suricata & wazuh installed. And in 2nd & 3rd server we have installed Apache where we initiate attacks.
As per the setup when we initiate the attack from 2nd to 3rd server or vice versa, we are able to receive the alerts related to DDoS in the 1st server As All the three servers in same subnet.
Now when we initiate an attack from outside of this network the 2&3rd instance has that information like the traffic /load from outside is accepted and even there is a response from 2nd & 3rd instance sent to attacker machine(Attach screenshot for your reference) But we don’t see any alert in Suricata(1st server)
Request to help in resolving the issue.
“Outside this network” – it’s important that all traffic Suricata inspects is presented to it. How is traffic from outside the network provided to Suricata?
We added subnet ip range & public IP of instances (same subnet)
in suricata.yaml as Home_Net. Attaching screenshot for your reference
Thanks for your reply.
More specifically, are you using a SPAN or tap to route all network traffic seen by the servers to the server hosting Suricata?
In IDS mode, network traffic must be presented to the network interface(s) on which Suricata is ingesting packets.
IPS mode is more complicated because the monitored traffic must be routed through the Suricata system.
What version of Suricata are you using?
How is the network traffic being directed to the network interfaces from which Suricata receives monitored traffic?