Hi, I am newbie in suricata, I have installed version 6.0.3 on ubuntu OS. The IP address is 192.168.1.201. I have followed the user guide for the installation.I also have suricata-update. seems fine, till to get to the test functionality with IDS with curl . in fast.log an alert appears. Likewise, test using nmap to ip 192.168.1.201, an alert in fast.log appears. But why when nmap is tested using another IP network (eg 192.168.1.202) no alert appears at all, so with a different subnet, the alert still doesn’t appear. how can i make sure suricata can monitor all networks that are already registered on #HOME_NET. tks 4 your kind attention…
Does the box suricata is running on actually receive the traffic?
I would have a look at tcpdump to verify.
The most common method to send traffic to the suricata box on a physical (non virtualized) network would be a switch + tap interface.
thanks for your quick respon. For experiment, I simplified the topology, Suricata (192.168.1.201), PC1 (192.168.1.202) and PC2 (192.168.1.203) are connected by a switch, without router. When PC2 performs Nmap to suricata 192.168.1.201, an alert appears in fast.log, but when PC2 performs Nmap on PC1 there is no alert from fast.log, nor does Nmap from PC1 to PC2, there is no alert whatsoever. Only one network has no alert from suricata when there is port scanning from Nmap. can anyone help where is the problem? HOME_NET:"[192.168.1.0/24]" .
TCPDUMP results are in the attachment
When PC1 does a scan of PC2 suricata will never see the traffic and has no way of knowing a scan is performed.
The traffic needs to be sent to the box running suricata.
I would recommend as written above that you check if your switch can be set up with a tap interface.
can you give me sample switch + tap interface (image or anything)… .I don’t know what a switch with a tap interface looks like and how to configure it…can you show link in internet for that…tks 4 your patience…
Err… yeah. SPAN port might be the correct terminology here.
Typing “switch span port” and “switch port mirroring” into google should get you started.
Searching for your switch model number might yield some specification sheets that tell you how many, if any, span port can be configured.
tks 4 your kind attention, I’ll try what you suggest… I’ll let you know later…
alhamdulillah, your suggestion worked, thank you for the help and information. I just feel weird, this important thing is not in the Suricata user guide.
Now suricata can display alerts, then how to activate IPS from suricata itself, i still don’t understand. the example for the Nmap case above…thank you for bothering
Adding this would be quite a challenge to cover all possible options to mirror traffic. In general it is expected that someone using Suricata already took care of the traffic ingest. We can give general guideance but covering each setup would be a community effort.
In the scenario with a SPAN port you just receive the traffic in a passive way, not inline, so IPS won’t be possible.
Sir, if using a mirror or span port IPS Suricata can’t work, then how do you make Suricata can function as an IDS and IPS at the same time without using a mirror port ? Do I have to use expensive capture hardware? I 'm very confused , your answer give me a hope please…
If you want to use it as an IPS you need to install it on a machine that is at an inline position of the traffic, so for example the main firewall/gateway or you set up a dedicated machine and place it in between. If you just get a copy of the traffic you can’t interfer with the original one.
many thanks 4 your answer sir…