No Entries in Suricata Security Onion 2.3.10

[sgaitadmins]

Hello,

I have a Hyper-V install of latest version of Security Onion. I followed the steps from https://cybersecurity.att.com/documentation/usm-anywhere/deployment-guide/hyperv/getting-traffic-from-physical-network-hyper-v.htm to set the NIC and vSwitch settings. I can see traffic from my monitor port, but nothing is populating in Suricata. When I do a so-status, all entries are green. Anyone else experiencing this or similar with Suricata?

[sgaitadmins]

Update: I ran so-test and the replay data does show in Suricata. But, my live data still does not. I can see entries in Zeek and in Network categories.

[TOoSmOotH]

so-test plays it on the same interface as you are monitoring. I would run tcpdump on the bond interface and confirm you are actually seeing the traffic you are expecting.

[sgaitadmins]

I ran tcpdump on bond0 and I see the output of all the expected traffic from the monitor interface of the switch the physical port is connected to. That looks ok. Yet, still nothing in Suricata. I'm still familiarizing myself with where specific config files are in Security Onion 2. Is there a config that tells Suricata what interface to bind to?

[TOoSmOotH]

If you are seeing alerts on so-test then you would see alerts on your live traffic. It could be that your live traffic is not generating any alerts.

[sgaitadmins]

This can be closed. The monitor port on physical switch was setup to mirror traffic from public internet WAN and I was not getting any log entries in Suricata. I have setup the monitor port to be within DMZ and I am getting logs in Suricata now. So it is logging, I need to figure out why no logs are being generated from public internet interface, which you would think would generate many entries.