Suricata Network monitoring

Smriti_Kaushal · October 12, 2022, 11:02am

Hi !

I have installed suricata version6.0.6. Currently it is running in IDS mode
In home_network I have specified my Vnet range in which there are many servers.
But when I see the eve.json file I am not getting any logs related to those servers. (I cant see the Ip address of any server other than Suricata server )
Please suggest me any workaround so that I can see the clear logs of all the server in eve.json file to determine what traffic is being detected in all the server.

Kindly respond to this ASAP as I am in the middle of an audit. Thanks for help in advance.

syoc · October 13, 2022, 6:46am

Hi. Is there any reason your server should recieve traffic destined for other hosts?
Getting the packets to Suricata in IDS mode is usually done using either network TAPs or SPAN ports on routers/switches. I would recommend looking into the latter.

Not sure what your timeline on the audit is, but setting up Suricata with little time and IDS expertise is not something that is done in an instant.

Topic		Replies	Views
Suricata 6.0.9 on Ubuntu 22.04 not getting traffic at all Help	11	945	December 24, 2022
Optimal Suricata configuration for monitoring switch Help configuration , suricata	5	871	July 28, 2023
After installation, Suricata writes only statistics to eve Help	5	537	December 2, 2021
Eve.json only shows "event_type":"flow" Help	7	1543	October 22, 2020
Missing VLAN Information in eve.json Logs with Suricata 7.0.1 Running in DPDK Mode Help suricata	3	195	November 15, 2023

Suricata Network monitoring

Related Topics