VLAN - multi-tanancy

I have installed suricata and have it up and running with default rules. Right now the input is from a mirror port from the trunk. I have several VLANs that I think would benefit from tenants. I have read through the documentation, but have not been successful at implementing.

I am not sure what the minimum required config is for a tenat. I have added the multi: to the suricata.yml and then have the tenant-x.yml files. The questions I have are:

  1. I get an error on startup saying that the rules file exists? Does this mean that each tenant needs it’s own rule file?
  2. What does a basic simple tenant-x.yml look like?

tenant-1.yaml (1.4 KB)
suricata.yaml (71.9 KB)

Hey Clinton.

  1. I get an error on startup saying that the rules file exists? Does this mean that each tenant needs it’s own rule file?
    Answer: Multi tenancy support allows for different rule sets with different rule vars

  2. What does a basic simple tenant-x.yml look like?
    Answer: each contain a partial configuration

Example:

default-rule-path: /etc/suricata/rules
rule-files:
  - tenant1.rules

classification-file: /etc/suricata/classification.config
reference-config-file: /etc/suricata/reference.config

vars:
  address-groups:
    HOME_NET: "[192.168.5.0/24]"
    EXTERNAL_NET: "!$HOME_NET"

  port-groups:
    HTTP_PORTS: "80"
    SHELLCODE_PORTS: "!80"

Quotes from 10.4. Multi Tenancy — Suricata 6.0.3 documentation

THANK you for the reply… that helped. I now have it up and running with multi-tenancy. That should help with all the alerts (false positives).

Cheers!