Suricata remote sensor

-Remote: Windows 7/10.
-Locar: Ubuntu 18.04
-SSH into VPN

ssh windump@192.168.1.29 -p2223 ā€˜C:/tmp/WinDump.exe -i1 -s0 -U -w - icmp and not port 2223ā€™ | sed ā€˜1dā€™ | stdbuf -oL tcpdump -nn -r - -w - | stdbuf -oL suricata -knone -c /etc/suricata/suricata_no_dataset.yaml -l ./ -r /dev/stdin -l ./win7_su_log

Best regards,

So if I understand correctly this captures traffic on Windows using WinDump.exe, pipes it to a Linux box over ssh which then transforms it to pcap and streams it to Suricata?

Capture on windows (remote) via VPN / SSH and send the captures to the local host. Suricata_IDS runs locally and returns logs to local.

Run local tcpdump and sed to avoid problems with pcap magic mumber.

Nice!

Perhaps a good idea to add links to how to get/install WinDump.exe and how to setup ssh and permissions on the Windows side?

Yes, I will prepare it.

For GNU / Linux to GNU/Linux, it is simpler.

Great, thanks. I think it would be the nicest if you update your original post so it contains all the relevant information.

Thanks to you. I will do so :wink: