<html>
<body>
Suricata can run on a separate dedicated hardware at the border and not necessarily installed on a firewall or router.
<br>
<br>
<font color="#000000">> On Jul 28, 2018, at 5:10 PM, Oliver Humpage <<a href="mailto:oliver@watershed.co.uk">oliver@watershed.co.uk</a>> wrote:
</font><br>
<font color="#000000">>
</font><br>
<font color="#000000">>
</font><br>
<font color="#000000">>> On 28 Jul 2018, at 08:48, Utkarsh Bhargava <<a href="mailto:utkarsh@null.co.in">utkarsh@null.co.in</a>> wrote:
</font><br>
<font color="#000000">>>
</font><br>
<font color="#000000">>> How to monitor the entire network ( 120 nodes ) using suricata ? Do I need to install suricata on each device or there's something like suricata agents as we have in OSSEC ?
</font><br>
<font color="#000000">>
</font><br>
<font color="#000000">> You probably have two options.
</font><br>
<font color="#000000">>
</font><br>
<font color="#000000">> 1. If you don’t want suricata running on every host, you could run it on a router/firewall that sits at the boundary of the network instead. This wouldn’t protect hosts from each other, but would simplify the installation.
</font><br>
<font color="#000000">>
</font><br>
<font color="#000000">> 2. If you want host-based protection then yes, you need to install suricata on every host. There’s no other way it can work, since suricata needs to inspect network traffic, and you can’t forward the traffic from 120 hosts to a central server! However, you can centralise the logging of alerts, much as you do with ossec. Suricata can output in various formats, and you can send those logs/alerts to your central logging system such as an ELK stack, etc.
</font><br>
<font color="#000000">>
</font><br>
<font color="#000000">> Hope that helps,
</font><br>
<font color="#000000">>
</font><br>
<font color="#000000">> Oliver.
</font><br>
<font color="#000000">> _______________________________________________
</font><br>
<font color="#000000">> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
</font><br>
<font color="#000000">> Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>
</font><br>
<font color="#000000">> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
</font><br>
<font color="#000000">>
</font><br>
<font color="#000000">> Conference: <a href="https://suricon.net">https://suricon.net</a>
</font><br>
<font color="#000000">> Trainings: <a href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a>
</font><br>
<br>
<BR />
<BR />
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to which they
are addressed. If you have received this email in error please notify Netsecuris management at mgmt@netsecuris.com. Please note that any views or opinions presented in
this email are solely those of the author and do not necessarily
represent those of Netsecuris Inc. The integrity and
security of this message cannot be guaranteed on the Internet
<BR />
</body>
</html>