Suricata not showing logs from windows

liudeen · June 22, 2022, 11:49pm

I have 3 VMs. Windows Server 2012, Linux and pfSense. pfSense serves as DHCP and Router/Network Interface. Windows and Linux have been assigned static IPs on the same network interface and subnet from pfSense. I have Suricata installed on Linux and when I run Red Team attacks on Linux, Suricata logs an alert in the fast.log and eve.json files. When I run similar commands on Windows Server (that should trigger an alert), Suricata doesn’t log alerts. I don’t know if it means Suricata can only monitor traffic on the Kali since its where it is installed and it can’t monitor Windows. For clarity

Linux IP: 10.0.0.6
Windows Server IP: 10.0.0.2
Gateway IP: 10.0.0.1

Can someone help me please? I have struggled with this issue and would appreciate some help.

Jeff_Lucovsky · June 26, 2022, 12:25pm

From your description, I’m assuming that the traffic to the Windows server isn’t being received on the Linux system where Suricata is running.

Suricata receives packets from specific NICs; you can use tcpdump against those NICs to see if the Linux system receives packets destined for other machines.

My guess is that this is the problem.

Topic		Replies	Views
Suricata cannot detect attack traffic going to the server Help suricata	10	103	August 6, 2024
Can Suricata(on PFSense) send log report by email? Help suricata	3	882	February 6, 2023
Suricata only responds to the Nmap test to itself Help	11	775	July 29, 2021
Suricata not logging incoming packets Help	7	1267	December 29, 2020
Suricata not logging my outbound traffic Help suricata	1	486	June 18, 2021

Suricata not showing logs from windows

Related topics