Suricata_Issues #11175
Replies: 1 comment 5 replies
-
|
Do you have 2 NICs, one for management (with IP address) and a separate dedicated NIC for sniffing (without IP address)? Are you sniffing traffic from a tap or span port? |
Beta Was this translation helpful? Give feedback.
-
|
yes two cards the first for management and the second for supervision except that at the request of my boss I fixed the address of my second network card which is that of supervision. I rather sniff the traffic coming from a specific vlan, vlan10 for example it's there I have the servers supervised I don't know it can work in this direction also or well? |
Beta Was this translation helpful? Give feedback.
-
In most cases, the sniffing interface should not have an IP address at all. It should be totally passive and only receiving traffic from a tap or span port. I asked above but I didn't see an answer, so I'll ask again. Are you sniffing traffic from a tap or span port?
If the traffic you are monitoring has VLAN tags, then you should be able to filter by VLAN if that's what you're wanting to do: |
Beta Was this translation helpful? Give feedback.
-
|
Hello actually I answered maybe you didn't understand I said that I don't use Span or TAP during the installation of security onion the system administrator just created two network cards and when I checked the second card refer to a specific vlan in the network. and have a mac addresse you can check my config in the capture but even in this case I would like to know for good practice I just have to recover flows coming from the span or tap only? |
Beta Was this translation helpful? Give feedback.
-
|
You will need some way of getting unicast traffic for other hosts into your sniffing interface. That usually means collecting traffic from a tap or span port. For more information, please see https://docs.securityonion.net/en/2.3/hardware.html#packets. |
Beta Was this translation helpful? Give feedback.
-
|
Since this looks like esxi, make sure that your sysadmin has set the policy on the virtual switch to accept promiscuous mode. On enterprise, you should select the switch, go to Once you've got that set up, you will need to set up the VLAN as a trunk, covering the entire VLAN range that you want to ingest. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
hello i need helps i am try to personalize suricata rules here is my rule configuration in /opt/so/saltstack/local/salt/idstools/local.rules
:
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET SCAN Nmap Scripting Engine User-Agent Detected (Nmap Scripting Engine)"; flow:to_server,established; http.user_agent; content:"Mozilla/5.0 (compatible|3b| Nmap Scripting Engine"; nocase; depth:46; reference:url,doc.emergingthreats.net/2009358; classtype:web-application-attack; sid:2009358; rev:6; metadata:created_at 2010_07_30, updated_at 2020_04_22;)
alert http $HOME_NET any -> any any (msg:"ET SCAN Possible Nmap User-Agent Observed"; flow:to_server,established; http.user_agent; content:"|20|Nmap"; fast_pattern; classtype:web-application-attack; sid:2024364; rev:4; metadata:affected_product Any, attack_target Client_and_Server, created_at 2017_06_08, deployment Perimeter, former_category SCAN, performance_impact Low, signature_severity Informational, updated_at 2020_08_06;)
and my suricata.yml is :
vars:
address-groups:
HOME_NET: '[192.168.150.0/24]'
EXTERNAL_NET: any
HTTP_SERVERS: $HOME_NET
my snifging ip fix is 192.168.150.61 So now even i try nmap i dont see alerte in all network . for example i can see juste nmap alerte beetwen my sneff ip and a nother host(linux) but not between the other adresse on windows i hav not alerte .
Beta Was this translation helpful? Give feedback.
All reactions