Suricata Alerts

[jrmsq]

Good morning, I used to have a standalone deployement, but I did my first distributed deployment.

I have one 1 Forward Node, one Search Node, and a Master.

I am not getting any Suricata Alerts. Did I do anything Wrong?

Also, how do I capture network traffic from a remote server?

I would appreciate any help you can give me.

[techstartupexplorer]

same issue its not capturing traffic at all

[palichx]

check status so-suricata(run so-status) and local logs on forward node in directory:
/nsm/suricata/
`

[jrmsq]

Good morning again.

So I went back to the documentation and went through the troubleshooting steps, and I did the part that mentioned the HOME_NET.

For my home_net option in the global.sys file that was wrong.

I changed it to have the following:

hnmanager: '10.0.0.0/8,192.168.6.0/24,172.16.0.0/12'

Then I ran so-rule-update
Finally, on the forwarding Node, I did: sudo salt-call state.apply Suricata,zeek

I hope this helps someone else:

https://docs.securityonion.net/en/2.3/homenet.html#homenet

https://docs.securityonion.net/en/2.3/suricata.html#troubleshooting-alerts

I know it's premature; I just did this a few minutes ago and got two alerts, but I will track it for the rest of the day and see if I get more hits.

Update, the only rule working from the actual VM: ET POLICY GNU/Linux YUM User-Agent Outbound is likely related to package management, not the entire network.

It seems like I would still need some assistance.

[jrmsq]

But now I have a different issue; I have two forward nodes. One was created last week, and one this week. The one that started last week sends logs for everything, whereas the one for this week only sends for just one type of log. Is there a way to make one node the primary because one has a span port while the other doesn't?

[jrmsq]

But now I have a different issue: two forward nodes. One was created last week, and one this week. The one that started last week sends logs for everything, whereas the one for this week only sends for just one type of log. Is there a way to make one node the primary because one has a span port while the other doesn't?

So this is a weird one, or maybe I need to understand something. So I reran the iso and did the setup, but I kept my secondary NIC off this time. After I rebooted the server, I enabled the port, then port spanning started to work, and now I am getting more alerts from Suricata. I will monitor it for a few days to ensure it's not a fluke.