Suricata Network monitoring

Smriti_Kaushal · October 12, 2022, 11:02am

Hi !

I have installed suricata version6.0.6. Currently it is running in IDS mode
In home_network I have specified my Vnet range in which there are many servers.
But when I see the eve.json file I am not getting any logs related to those servers. (I cant see the Ip address of any server other than Suricata server )
Please suggest me any workaround so that I can see the clear logs of all the server in eve.json file to determine what traffic is being detected in all the server.

Kindly respond to this ASAP as I am in the middle of an audit. Thanks for help in advance.

syoc · October 13, 2022, 6:46am

Hi. Is there any reason your server should recieve traffic destined for other hosts?
Getting the packets to Suricata in IDS mode is usually done using either network TAPs or SPAN ports on routers/switches. I would recommend looking into the latter.

Not sure what your timeline on the audit is, but setting up Suricata with little time and IDS expertise is not something that is done in an instant.

Topic		Replies	Views
Suricata 6.0.9 on Ubuntu 22.04 not getting traffic at all Help	11	999	December 24, 2022
Suricata in IDS mode shows traffic that should be blocked Help suricata	1	232	December 12, 2023
Optimal Suricata configuration for monitoring switch Help configuration , suricata	5	952	July 28, 2023
$HOME_NET and multiple interfaces, plus deployment best practices Help	3	4292	June 27, 2020
Suricata doesn't alert me on ping with basic configuration Help	3	885	January 17, 2023

Suricata Network monitoring

Related topics