<div dir="ltr"><div><div><div><div><div><div><div><div>Hi Utkarsh, I can't take credit for syntax you'll see below. Some other really brilliant guy posted this method on Sept 9th 2017 if you want to go fishing in the archives:<br></div>To grab pcaps from a device and ship to a suricata server that can analyze said pcaps.. this might be one way..<br><br>Post name: Suricata "bogus savefile header" error message<br>Sep 9, 2017<br><br>Basic thought behind this is:<br>Capture pcaps and ship/transfer them from the perimeter firewall/router to the suricata instance over SSH with:<br><br>tcpdump -nn -i br0 -F tcpdumpfilter -w - | ssh -T user@x.x.x.x "cat -> /home/user/somedirectory/br0-remote.pcap"<br><br>and then on the suricata server-- run:<br><br>sudo suricata -c /etc/suricata/suricata.yaml -r /home/user/somedirectory/br0-remote.pcap<br><br></div>This would take massive amounts of server memory/storage and compute to run 120 PCAPS simultaneously...<br></div>I'm not entirely sure it's realistic ;) I'm just giving you a frame of reference...<br><br></div>If you figure out a way to do this, I tip my hat to you sir and would love to hear about how you made it happen! I'm thinking KVM based V-guests or docker containers running multiple suricatas on 4 or 5 huge servers.... Sorry thinking out loud.. I digress..<br><br></div>Where the logging is concerned, well, I already suggested that you can use OWLH.. or you could simply ship everything back to a SEIM via syslog with custom log triggers that would email you upon receiving specific alert keywords in the logging etc..<br><br><br></div>I hope I've helped more than I've caused confusion..<br></div>Best,<br></div>CB<br><div><div><div><br></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">On Thu, Aug 2, 2018 at 1:38 AM Utkarsh Bhargava <<a href="mailto:utkarsh@null.co.in">utkarsh@null.co.in</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p>Hi Chris,</p>
<p>Thank you for your response.<br>
</p>
<p>I wanted to do full packet capture of all those 120 nodes, Along
with that I also want to aggregate the logs for all 120 nodes.</p>
<p><br>
</p>
<p>Regards <br>
</p>
<p>Utkarsh<br>
</p>
<br>
<div class="m_-2305242723536413574moz-cite-prefix">On Thursday 02 August 2018 04:16 AM,
Chris Boley wrote:<br>
</div>
<blockquote type="cite">
<div>
<div dir="auto">Utkarsh, upon re-reading your question, I
realized that I may have misunderstood your question. Are you
asking how to position a sensor to monitor 120 endpoints? Or
are you asking how to aggregate logging from 120 sensors?</div>
</div>
<div><br>
<div class="gmail_quote">
<div dir="ltr">On Wed, Aug 1, 2018 at 6:38 PM Chris Boley <<a href="mailto:ilgtech75@gmail.com" target="_blank">ilgtech75@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<div dir="auto">look up OwlH, they’ve created an
integration package to put on your suricata sensor and
ship the logs to OSSEC / WAZUH. </div>
</div>
<div>
<div dir="auto"><br>
</div>
<div dir="auto">Chris</div>
</div>
<div><br>
<div class="gmail_quote">
<div dir="ltr">On Mon, Jul 30, 2018 at 4:11 PM Cooper F.
Nelson <<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">If
you are a Cisco shop you should check out ERSPAN:<br>
<br>
<a href="https://packetpushers.net/erspan-new-favorite-packet-capturing-trick/" rel="noreferrer" target="_blank">https://packetpushers.net/erspan-new-favorite-packet-capturing-trick/</a><br>
<br>
-Coop<br>
<br>
On 7/28/2018 12:48 AM, Utkarsh Bhargava wrote:<br>
> Hi All,<br>
><br>
> How to monitor the entire network ( 120 nodes )
using suricata ? Do I<br>
> need to install suricata on each device or
there's something like<br>
> suricata agents as we have in OSSEC ?<br>
><br>
> Please help me !<br>
><br>
><br>
> Regards<br>
><br>
><br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> |
Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
> List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
><br>
> Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
> Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a><br>
<br>
-- <br>
Cooper Nelson<br>
Network Security Analyst<br>
UCSD ITS Security Team<br>
<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a> x41042<br>
<br>
<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> |
Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote>
</div>
</div>
</blockquote>
</div>
</div>
<br>
<fieldset class="m_-2305242723536413574mimeAttachmentHeader"></fieldset>
<br>
<pre>_______________________________________________
Suricata IDS Users mailing list: <a class="m_-2305242723536413574moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a>
Site: <a class="m_-2305242723536413574moz-txt-link-freetext" href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a class="m_-2305242723536413574moz-txt-link-freetext" href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a>
List: <a class="m_-2305242723536413574moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
Conference: <a class="m_-2305242723536413574moz-txt-link-freetext" href="https://suricon.net" target="_blank">https://suricon.net</a>
Trainings: <a class="m_-2305242723536413574moz-txt-link-freetext" href="https://suricata-ids.org/training/" target="_blank">https://suricata-ids.org/training/</a></pre>
</blockquote>
<br>
</div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div>