Suricata and Zeek

[lmb2100]

I have an air-gapped distributed deployment with search manager and 2 sensors for training with simulated attacks. Can I run zeek and suricata at the same time? I only see Zeek events ( I do have zeek set as the metadata) and was wondering if there is more configuration I would need to do in order to see suricata logs? Or am I not understanding the use case of these modules? Thanks!

[cm-ops]

You can take a look here https://docs.securityonion.net/en/latest/network.html to see information on Suricata and Zeek. If you are running Zeek as metadata you probably have Suricata set as your signature-based IDS. You can also just run Suricata for both.

For the logs, do you see any logs on your sensors at /nsm/suricata/?

[lmb2100]

I didn't see anything under nsm/suricata. Does that mean it is not running? On kibana I only see zeek sources

…

On Mon, Jul 31, 2023, 2:25 PM Chris Morgret ***@***.***> wrote: You can take a look here https://docs.securityonion.net/en/latest/network.html to see information on Suricata and Zeek. If you are running Zeek as metadata you probably have Suricata set as your signature-based IDS. You can also just run Suricata for both. For the logs, do you see any logs on your sensors at /nsm/suricata/? — Reply to this email directly, view it on GitHub <#10860 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/A765S7Z75Y7IB75URJJYN53XS72CBANCNFSM6AAAAAA23TVPEU> . You are receiving this because you authored the thread.Message ID: <Security-Onion-Solutions/securityonion/repo-discussions/10860/comments/6598100 @github.com>

[vanh20]

If you have configured Suricata as your IDS, than you should see logs at /nsm/suricata/. Have you disabled Suricata as described here?