We have created a test environment for suricata testing.
Where the environment has total 3 servers in which 1st server has suricata & wazuh installed, even we have configured as per the document & also took wazuh support help for configuring.
And in 2nd & 3rd server we have installed Apache where we initiate attacks.
As per the setup when we initiate the attack from 2nd to 3rd server or vice versa, we are not able to receive the alerts related to DDoS in the 1st server but if we are attacking from suricata server to 2nd or 3rd server we are getting alert. All the three servers in same subnet.
Now when we initiate an attack from outside of this network the 2&3rd instance has that information like the traffic /load from outside is accepted and even there is a response from 2nd & 3rd instance sent to attacker machine(Attach screenshot for your reference) But we don’t see any alert in suricata server.
Request to help in resolving the issue.
we need more details about your setup, how you run Suricata, which version, how did you configure it etc.
There are too many potential reasons so we need to narrow it down first by more details.