0
I have the following 3 PCs connected to a router via Ethernet:
PC1 – 192.168.1.101 (Linux Ubuntu)
PC2 – 192.168.1.100 (Windows)
PC3 – 192.168.1.1 (Windows)
All PCs can ping each other.
PC1 has Suricata installed in IDS mode. It has a simple ping rule included:
alert icmp any any -> any any (msg:"PING detected"; sid:2; rev:1;)
I launch Suricata be entering the following command in PC1:
suricata -c /etc/suricata/suricata.yaml -i eth3
eth3 is the main Ethernet interface in PC1.
The ping rule is triggered when I ping PC1 from PC2 and PC3, and the appropriate message is recorded in the log file. This rule is also triggered when I ping PC2 and PC3 from PC1.
However, this rule is not triggered when I ping PC2 from PC3 and vice versa. Suricata listens only on eth3 interface in PC1. The traffic doesn’t pass through PC1 when I ping PC2 from PC3, even though all 3 PCs are on the same network.
Is it possible to configure Suricata to monitor the entire network and not only the PC it is installed on?
Thank you very much for the detailed answer, Nevin. I am very new to networking, so it's good to know about the port mirroring feature that switches can have. I only have access to a cheap USRobotics router. So I assume I will not be able to solve my problem without a decent switch. – Alex – 2014-07-21T04:21:42.540