I am new to Suricata and would appreciate some guidance. I am considering installing Suricata on servers without enabling any rules, solely to forward and store network traffic logs, for example, in a SIEM like Wazuh. Do you think this is a good approach, or would you advise against it? Are there any potential drawbacks to this method?
Additionally, if this is not a recommended approach, is it possible to configure Suricata to filter only HTTP traffic and forward IIS logs to a system like Wazuh?
both are possible and I don’t see any wrongdoing in any of those.
Additionally, Suricata runs much faster without rules. (it likely will not compare to e.g. throughput of flow probes but it will give you much richer logs).
You can generally filter traffic using BPF filters.
If that would not suffice you can possibly write some rules that would match the other traffic and use bypass; or noalert; keywords.
It will impact performance, since it’s an additional service and packets have to be investigated, but it’s less compared to the impact when signatures are added.
Also you won’t forward IIS logs but the network logs produced by Suricata.
The Windows msi installer can be found at Download - Suricata although I would recommend to use Linux or FreeBSD for Suricata in that scenario.
The problem is that, the servers are windows OS. I have one more question, when i start the suricata with command “cmd: suricata.exe -c suricata.yaml -i ipaddress”. do i need to keep the cmd window open or can i close it and it will still run ?
This depends on your setup and the terminal that you use, but that’s a windows specific question.
On Linux it’s simpler since you can run it as a service/daemon. You can try if -D works on Windows as well for the daemon mode.