0
I have the following 3 PCs connected to a router via Ethernet:
PC1 – 192.168.1.101 (Linux Ubuntu)
PC2 – 192.168.1.100 (Windows)
PC3 – 192.168.1.1 (Windows)
All PCs can ping each other.
PC1 has Suricata installed in IDS mode. It has a simple ping rule included:
alert icmp any any -> any any (msg:"PING detected"; sid:2; rev:1;)
I launch Suricata be entering the following command in PC1:
suricata -c /etc/suricata/suricata.yaml -i eth3
eth3 is the main Ethernet interface in PC1:
The ping rule is triggered when I ping PC1 from PC2 and PC3, and the appropriate message is recorded in the log file. This rule is also triggered when I ping PC2 and PC3 from PC1.
However, this rule is not triggered when I ping PC2 from PC3 and vice versa. Suricata listens only on eth3 interface in PC1. The traffic doesn’t pass through PC1 when I ping PC2 from PC3, even though all 3 PCs are on the same network.
Is it possible to configure Suricata to monitor the entire network and not only the PC it is installed on?
1Is your router acting as a switch and preventing PC1 from seeing the traffic? This is not a Suricata problem, but a very basic networking design problem. – schroeder – 2014-07-21T17:36:32.687
I realised that I need a good switch that supports port mirroring, so that it can send all the traffic to PC1 for inspection. I only have a cheap router that doesn't support that feature. – None – 2014-07-22T03:42:42.913
possible duplicate of How to use the Suricata IDS to monitor the entire network?
– James Mertz – 2014-07-30T20:15:06.857