Suricata to monitor entire network

Question

How to configure Suricate to capture packets on the entire network? I have already configured the Suricate but it's only capturing packets that send to Suricata installed host. I want the whole network packets to be captured by Suricata.

I have two different networks such as Data and Internal where Suricata is placed in Internal Network. I have already configured my switch to monitor few ports and destine to second port of Suricata Server but still I didn't see any changes.

Can some help on this matter?

score 1 · Accepted Answer · answered Nov 19 '17 at 12:40

1

the interface should be in promiscuous mode - to see all traffic.

(HOWTO depends on your os)

ifconfig eth1 up

ifconfig eth1 promisc

and check what is defined in suricata yaml who's under $HOME_NET , and what rules files are set, I recommend to take a glance there to better understand why certain rule is fired.

answered Nov 19 '17 at 12:40

e.z.a

71
5

Let me try on promisc mode – Shann Nov 19 '17 at 12:47

Suricata to monitor entire network

1 Answers1