0

As a project I have a physical firewall (IP: 10.0.0.2) with a SPAN port configured to a physical linux (CentOS 6) (IP: 10.0.0.3) on which I am running Suricata IDS.

Theoretically I should receive all the traffic to the box through an interface I called "span0". I can confirm this by running ifconfig and see traffic. So all good.

When running Suricata as follows: sudo suricata -c /etc/suricata/suricata.yaml -i span0 | I am not getting any errors. Also good.

The question here is how to configure the suricata.yaml file.

  • Should I have the HOME_NET on 10.0.0.2 or on 10.0.0.0/8?

Looking forward to hear your feedback, Jan (Honza) Novak

Jan Novak
  • 1
  • 1

1 Answers1

0

I am not a great IDS setup specialist, but I would suggest that the configuration depends on the network setup.

If the firewall simply broadcasts everything through itself, then you should choose 10.0.0.0/8 to protect the entire network. On the other hand, with this setting, events within the network may go unnoticed.

If NAT is configured, then I would suggest choosing 10.0.0.2 to track possible malicious activity both outside and inside the network.

AlexSin
  • 1
  • 2