How to use the Suricata IDS to monitor the entire network?
I have the following 3 PCs connected to a router via Ethernet:
PC1 – 192.168.1.101 (Linux Ubuntu)
PC2 – 192.168.1.100 (Windows)
PC3 – 192.168.1.1 (Windows)
All PCs can ping each other.
PC1 has Suricata installed in IDS mode. It has a simple ping rule included:
alert icmp any any -> any any (msg:"PING detected"; sid:2; rev:1;)
I launch Suricata be entering the following command in PC1:
suricata -c /etc/suricata/suricata.yaml -i eth3
eth3 is the main Ethernet interface in PC1.
The ping rule is triggered when I ping PC1 from PC2 and PC3, and the appropriate message is recorded in the log file. This rule is also triggered when I ping PC2 and PC3 from PC1.
However, this rule is not triggered when I ping PC2 from PC3 and vice versa. Suricata listens only on eth3 interface in PC1. The traffic doesn’t pass through PC1 when I ping PC2 from PC3, even though all 3 PCs are on the same network.
Is it possible to configure Suricata to monitor the entire network and not only the PC it is installed on?
networking router ethernet monitoring
asked Jul 21 '14 at 1:34
AlexAlex
10312
add a comment |
I have the following 3 PCs connected to a router via Ethernet:
PC1 – 192.168.1.101 (Linux Ubuntu)
PC2 – 192.168.1.100 (Windows)
PC3 – 192.168.1.1 (Windows)
All PCs can ping each other.
PC1 has Suricata installed in IDS mode. It has a simple ping rule included:
alert icmp any any -> any any (msg:"PING detected"; sid:2; rev:1;)
I launch Suricata be entering the following command in PC1:
suricata -c /etc/suricata/suricata.yaml -i eth3
eth3 is the main Ethernet interface in PC1.
The ping rule is triggered when I ping PC1 from PC2 and PC3, and the appropriate message is recorded in the log file. This rule is also triggered when I ping PC2 and PC3 from PC1.
However, this rule is not triggered when I ping PC2 from PC3 and vice versa. Suricata listens only on eth3 interface in PC1. The traffic doesn’t pass through PC1 when I ping PC2 from PC3, even though all 3 PCs are on the same network.
Is it possible to configure Suricata to monitor the entire network and not only the PC it is installed on?
networking router ethernet monitoring
asked Jul 21 '14 at 1:34
AlexAlex
10312
add a comment |
I have the following 3 PCs connected to a router via Ethernet:
PC1 – 192.168.1.101 (Linux Ubuntu)
PC2 – 192.168.1.100 (Windows)
PC3 – 192.168.1.1 (Windows)
All PCs can ping each other.
PC1 has Suricata installed in IDS mode. It has a simple ping rule included:
alert icmp any any -> any any (msg:"PING detected"; sid:2; rev:1;)
I launch Suricata be entering the following command in PC1:
suricata -c /etc/suricata/suricata.yaml -i eth3
eth3 is the main Ethernet interface in PC1.
The ping rule is triggered when I ping PC1 from PC2 and PC3, and the appropriate message is recorded in the log file. This rule is also triggered when I ping PC2 and PC3 from PC1.
However, this rule is not triggered when I ping PC2 from PC3 and vice versa. Suricata listens only on eth3 interface in PC1. The traffic doesn’t pass through PC1 when I ping PC2 from PC3, even though all 3 PCs are on the same network.
Is it possible to configure Suricata to monitor the entire network and not only the PC it is installed on?
networking router ethernet monitoring
asked Jul 21 '14 at 1:34
AlexAlex
10312
I have the following 3 PCs connected to a router via Ethernet:
PC1 – 192.168.1.101 (Linux Ubuntu)
PC2 – 192.168.1.100 (Windows)
PC3 – 192.168.1.1 (Windows)
All PCs can ping each other.
PC1 has Suricata installed in IDS mode. It has a simple ping rule included:
alert icmp any any -> any any (msg:"PING detected"; sid:2; rev:1;)
I launch Suricata be entering the following command in PC1:
suricata -c /etc/suricata/suricata.yaml -i eth3
eth3 is the main Ethernet interface in PC1.
The ping rule is triggered when I ping PC1 from PC2 and PC3, and the appropriate message is recorded in the log file. This rule is also triggered when I ping PC2 and PC3 from PC1.
However, this rule is not triggered when I ping PC2 from PC3 and vice versa. Suricata listens only on eth3 interface in PC1. The traffic doesn’t pass through PC1 when I ping PC2 from PC3, even though all 3 PCs are on the same network.
Is it possible to configure Suricata to monitor the entire network and not only the PC it is installed on?
networking router ethernet monitoring
networking router ethernet monitoring
asked Jul 21 '14 at 1:34
AlexAlex
10312
asked Jul 21 '14 at 1:34
AlexAlex
10312
asked Jul 21 '14 at 1:34
AlexAlex
10312
asked Jul 21 '14 at 1:34
AlexAlex
10312
asked Jul 21 '14 at 1:34
AlexAlex
10312
10312
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
Ethernet switches do not broadcast all traffic to all ports.
A unicast exchange between two hosts on two separate switch ports will not be seen by a listening host on a third switch port under normal operating conditions.
More expensive managed switches, with enterprise functions such as VLAN support often have port mirroring features, that serve as a wiretap utility that duplicates all traffic sent or received on any one port to a second designated port. Depending on the switch make and model, there may be caveats to this function that may make the designated port less functional, ie: only able to receive traffic, not send, while the mirroring is active.
Another caveat that is likely on all but the most powerful, expensive switches, is that only one port can be mirrored at one time. For a 3 node switched network, that's not a problem, as if one or the other port is mirrored, either destination the host on the unmonitored port can talk to, is monitored. A 4 node network, however, would leave two ports unmonitored.
In an Internet Gateway situation, port mirroring would be turned on between the router and the switch, and so would catch all Internet-sourced traffic, but not all LAN traffic.
There may exist switches that can mirror all VLAN or all backplane traffic to a designated port, but I'm not familiar with such functionality.
answered Jul 21 '14 at 3:43
Nevin WilliamsNevin Williams
3,3751129
Thank you very much for the detailed answer, Nevin. I am very new to networking, so it's good to know about the port mirroring feature that switches can have. I only have access to a cheap USRobotics router. So I assume I will not be able to solve my problem without a decent switch.
– Alex
Jul 21 '14 at 4:21
add a comment |
have a look at the Netgear pro switches like:
GS105Ev2 – 5-Port Gigabit ProSAFE Plus Switch
They are pretty cheap and support a port mirror setup. Place the switch between your router and the rest of the network for internet visibility.
answered Jan 9 at 11:28
MartinMartin
1
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "3"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f785635%2fhow-to-use-the-suricata-ids-to-monitor-the-entire-network%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Ethernet switches do not broadcast all traffic to all ports.
A unicast exchange between two hosts on two separate switch ports will not be seen by a listening host on a third switch port under normal operating conditions.
More expensive managed switches, with enterprise functions such as VLAN support often have port mirroring features, that serve as a wiretap utility that duplicates all traffic sent or received on any one port to a second designated port. Depending on the switch make and model, there may be caveats to this function that may make the designated port less functional, ie: only able to receive traffic, not send, while the mirroring is active.
Another caveat that is likely on all but the most powerful, expensive switches, is that only one port can be mirrored at one time. For a 3 node switched network, that's not a problem, as if one or the other port is mirrored, either destination the host on the unmonitored port can talk to, is monitored. A 4 node network, however, would leave two ports unmonitored.
In an Internet Gateway situation, port mirroring would be turned on between the router and the switch, and so would catch all Internet-sourced traffic, but not all LAN traffic.
There may exist switches that can mirror all VLAN or all backplane traffic to a designated port, but I'm not familiar with such functionality.
answered Jul 21 '14 at 3:43
Nevin WilliamsNevin Williams
3,3751129
Thank you very much for the detailed answer, Nevin. I am very new to networking, so it's good to know about the port mirroring feature that switches can have. I only have access to a cheap USRobotics router. So I assume I will not be able to solve my problem without a decent switch.
– Alex
Jul 21 '14 at 4:21
add a comment |
Ethernet switches do not broadcast all traffic to all ports.
A unicast exchange between two hosts on two separate switch ports will not be seen by a listening host on a third switch port under normal operating conditions.
More expensive managed switches, with enterprise functions such as VLAN support often have port mirroring features, that serve as a wiretap utility that duplicates all traffic sent or received on any one port to a second designated port. Depending on the switch make and model, there may be caveats to this function that may make the designated port less functional, ie: only able to receive traffic, not send, while the mirroring is active.
Another caveat that is likely on all but the most powerful, expensive switches, is that only one port can be mirrored at one time. For a 3 node switched network, that's not a problem, as if one or the other port is mirrored, either destination the host on the unmonitored port can talk to, is monitored. A 4 node network, however, would leave two ports unmonitored.
In an Internet Gateway situation, port mirroring would be turned on between the router and the switch, and so would catch all Internet-sourced traffic, but not all LAN traffic.
There may exist switches that can mirror all VLAN or all backplane traffic to a designated port, but I'm not familiar with such functionality.
answered Jul 21 '14 at 3:43
Nevin WilliamsNevin Williams
3,3751129
Thank you very much for the detailed answer, Nevin. I am very new to networking, so it's good to know about the port mirroring feature that switches can have. I only have access to a cheap USRobotics router. So I assume I will not be able to solve my problem without a decent switch.
– Alex
Jul 21 '14 at 4:21
add a comment |
Ethernet switches do not broadcast all traffic to all ports.
A unicast exchange between two hosts on two separate switch ports will not be seen by a listening host on a third switch port under normal operating conditions.
More expensive managed switches, with enterprise functions such as VLAN support often have port mirroring features, that serve as a wiretap utility that duplicates all traffic sent or received on any one port to a second designated port. Depending on the switch make and model, there may be caveats to this function that may make the designated port less functional, ie: only able to receive traffic, not send, while the mirroring is active.
Another caveat that is likely on all but the most powerful, expensive switches, is that only one port can be mirrored at one time. For a 3 node switched network, that's not a problem, as if one or the other port is mirrored, either destination the host on the unmonitored port can talk to, is monitored. A 4 node network, however, would leave two ports unmonitored.
In an Internet Gateway situation, port mirroring would be turned on between the router and the switch, and so would catch all Internet-sourced traffic, but not all LAN traffic.
There may exist switches that can mirror all VLAN or all backplane traffic to a designated port, but I'm not familiar with such functionality.
answered Jul 21 '14 at 3:43
Nevin WilliamsNevin Williams
3,3751129
Ethernet switches do not broadcast all traffic to all ports.
A unicast exchange between two hosts on two separate switch ports will not be seen by a listening host on a third switch port under normal operating conditions.
More expensive managed switches, with enterprise functions such as VLAN support often have port mirroring features, that serve as a wiretap utility that duplicates all traffic sent or received on any one port to a second designated port. Depending on the switch make and model, there may be caveats to this function that may make the designated port less functional, ie: only able to receive traffic, not send, while the mirroring is active.
Another caveat that is likely on all but the most powerful, expensive switches, is that only one port can be mirrored at one time. For a 3 node switched network, that's not a problem, as if one or the other port is mirrored, either destination the host on the unmonitored port can talk to, is monitored. A 4 node network, however, would leave two ports unmonitored.
In an Internet Gateway situation, port mirroring would be turned on between the router and the switch, and so would catch all Internet-sourced traffic, but not all LAN traffic.
There may exist switches that can mirror all VLAN or all backplane traffic to a designated port, but I'm not familiar with such functionality.
answered Jul 21 '14 at 3:43
Nevin WilliamsNevin Williams
3,3751129
answered Jul 21 '14 at 3:43
Nevin WilliamsNevin Williams
3,3751129
answered Jul 21 '14 at 3:43
Nevin WilliamsNevin Williams
3,3751129
answered Jul 21 '14 at 3:43
Nevin WilliamsNevin Williams
3,3751129
3,3751129
Thank you very much for the detailed answer, Nevin. I am very new to networking, so it's good to know about the port mirroring feature that switches can have. I only have access to a cheap USRobotics router. So I assume I will not be able to solve my problem without a decent switch.
– Alex
Jul 21 '14 at 4:21
add a comment |
Thank you very much for the detailed answer, Nevin. I am very new to networking, so it's good to know about the port mirroring feature that switches can have. I only have access to a cheap USRobotics router. So I assume I will not be able to solve my problem without a decent switch.
– Alex
Jul 21 '14 at 4:21
Thank you very much for the detailed answer, Nevin. I am very new to networking, so it's good to know about the port mirroring feature that switches can have. I only have access to a cheap USRobotics router. So I assume I will not be able to solve my problem without a decent switch.
– Alex
Jul 21 '14 at 4:21
Thank you very much for the detailed answer, Nevin. I am very new to networking, so it's good to know about the port mirroring feature that switches can have. I only have access to a cheap USRobotics router. So I assume I will not be able to solve my problem without a decent switch.
– Alex
Jul 21 '14 at 4:21
add a comment |
have a look at the Netgear pro switches like:
GS105Ev2 – 5-Port Gigabit ProSAFE Plus Switch
They are pretty cheap and support a port mirror setup. Place the switch between your router and the rest of the network for internet visibility.
answered Jan 9 at 11:28
MartinMartin
1
add a comment |
have a look at the Netgear pro switches like:
GS105Ev2 – 5-Port Gigabit ProSAFE Plus Switch
They are pretty cheap and support a port mirror setup. Place the switch between your router and the rest of the network for internet visibility.
answered Jan 9 at 11:28
MartinMartin
1
add a comment |
have a look at the Netgear pro switches like:
GS105Ev2 – 5-Port Gigabit ProSAFE Plus Switch
They are pretty cheap and support a port mirror setup. Place the switch between your router and the rest of the network for internet visibility.
answered Jan 9 at 11:28
MartinMartin
1
have a look at the Netgear pro switches like:
GS105Ev2 – 5-Port Gigabit ProSAFE Plus Switch
They are pretty cheap and support a port mirror setup. Place the switch between your router and the rest of the network for internet visibility.
answered Jan 9 at 11:28
MartinMartin
1
answered Jan 9 at 11:28
MartinMartin
1
answered Jan 9 at 11:28
MartinMartin
1
answered Jan 9 at 11:28
MartinMartin
1
1
add a comment |
add a comment |
Thanks for contributing an answer to Super User!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f785635%2fhow-to-use-the-suricata-ids-to-monitor-the-entire-network%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
