-Remote: Windows 7/10.
-Locar: Ubuntu 18.04
-SSH into VPN
ssh email@example.com -p2223 ‘C:/tmp/WinDump.exe -i1 -s0 -U -w - icmp and not port 2223’ | sed ‘1d’ | stdbuf -oL tcpdump -nn -r - -w - | stdbuf -oL suricata -knone -c /etc/suricata/suricata_no_dataset.yaml -l ./ -r /dev/stdin -l ./win7_su_log
So if I understand correctly this captures traffic on Windows using
WinDump.exe, pipes it to a Linux box over ssh which then transforms it to pcap and streams it to Suricata?
Capture on windows (remote) via VPN / SSH and send the captures to the local host. Suricata_IDS runs locally and returns logs to local.
Run local tcpdump and sed to avoid problems with pcap magic mumber.
Perhaps a good idea to add links to how to get/install
WinDump.exe and how to setup ssh and permissions on the Windows side?
Yes, I will prepare it.
For GNU / Linux to GNU/Linux, it is simpler.
Great, thanks. I think it would be the nicest if you update your original post so it contains all the relevant information.
Thanks to you. I will do so