How to use the Suricata IDS to monitor the entire network?

networking router ethernet monitoring
7,767

Ethernet switches do not broadcast all traffic to all ports.

A unicast exchange between two hosts on two separate switch ports will not be seen by a listening host on a third switch port under normal operating conditions.

More expensive managed switches, with enterprise functions such as VLAN support often have port mirroring features, that serve as a wiretap utility that duplicates all traffic sent or received on any one port to a second designated port. Depending on the switch make and model, there may be caveats to this function that may make the designated port less functional, ie: only able to receive traffic, not send, while the mirroring is active.

Another caveat that is likely on all but the most powerful, expensive switches, is that only one port can be mirrored at one time. For a 3 node switched network, that's not a problem, as if one or the other port is mirrored, either destination the host on the unmonitored port can talk to, is monitored. A 4 node network, however, would leave two ports unmonitored.

In an Internet Gateway situation, port mirroring would be turned on between the router and the switch, and so would catch all Internet-sourced traffic, but not all LAN traffic.

There may exist switches that can mirror all VLAN or all backplane traffic to a designated port, but I'm not familiar with such functionality.

Share:
7,767

Related videos on Youtube

Alex
Author by

Alex

Updated on September 18, 2022

Comments

  • Alex
    Alex over 1 year

    I have the following 3 PCs connected to a router via Ethernet:

    PC1 – 192.168.1.101 (Linux Ubuntu)

    PC2 – 192.168.1.100 (Windows)

    PC3 – 192.168.1.1 (Windows)

    All PCs can ping each other.

    PC1 has Suricata installed in IDS mode. It has a simple ping rule included:

    alert icmp any any -> any any (msg:"PING detected"; sid:2; rev:1;)

    I launch Suricata be entering the following command in PC1:

    suricata -c /etc/suricata/suricata.yaml -i eth3

    eth3 is the main Ethernet interface in PC1.

    The ping rule is triggered when I ping PC1 from PC2 and PC3, and the appropriate message is recorded in the log file. This rule is also triggered when I ping PC2 and PC3 from PC1.

    However, this rule is not triggered when I ping PC2 from PC3 and vice versa. Suricata listens only on eth3 interface in PC1. The traffic doesn’t pass through PC1 when I ping PC2 from PC3, even though all 3 PCs are on the same network.

    Is it possible to configure Suricata to monitor the entire network and not only the PC it is installed on?

  • Alex
    Alex almost 10 years
    Thank you very much for the detailed answer, Nevin. I am very new to networking, so it's good to know about the port mirroring feature that switches can have. I only have access to a cheap USRobotics router. So I assume I will not be able to solve my problem without a decent switch.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Share WiFi connection to another laptop
Does a router affect internet speed through Ethernet?
Unable to connect to slave router, IP address refused to connect
Can i have a second cable modem in my house to be able to have ethernet in two diffrent rooms?
Using ethernet cable (Cat 6) with phone jack?
Can a wrongly crimped Ethernet Cable work, but not as intended?
how to achieve gigabit speeds on LAN + WIFI at home?
Wifi range extender with ethernet input
Can I use a ethernet splitter to connect a router to two devices?
What is most likely to cause this packet loss?