<!doctype html>

<html>

 <head> 

  <meta charset="UTF-8"> 

 </head>

 <body>

  <div>

   Hi Yudhi

  </div>

  <div>

   <br>

  </div>

  <div>

   Do you have a network diagram? Can you share it....you can do so

  </div>

  <div>

   privately to 

   <a href="mailto:amar@countersnipe.com">amar@countersnipe.com</a>

  </div>

  <div>

   <br>

  </div>

  <div>

   If it was a Suricata related issue, you would have no alerts at all. 

  </div>

  <div>

   Therefore it has to be to do with your network. You probably have

  </div>

  <div>

   all systems plugged into a switch with no

  </div>

  <div>

   span/mirror port configuration!

  </div>

  <div>

   Anyway, happy to help further....in fact happy to let you have

  </div>

  <div>

   CointerSnipe for free....you will get 

  </div>

  <div>

   the power of Suri plus rule, asset, event management for free....normally costs a lot of money

  </div>

  <div>

   here is the link if interested 

   <a href="https://countersnipe.com/index.php/trial-software">https://countersnipe.com/index.php/trial-software</a>

  </div>

  <div>

   <br>

  </div>

  <div>

   Regards

  </div>

  <div>

   Amar

  </div>

  <blockquote type="cite">

   <div>

    On April 8, 2020 7:59 PM yudhi ardiyanto <yudhi.ardiyanto@gmail.com> wrote:

   </div>

   <div>

    <br>

   </div>

   <div>

    <br>

   </div>

   <div>

    <div dir="auto">

     I used HOME_NET with network 

     <a href="http://10.20.20.0/24">10.20.20.0/24</a>. My IDS 

     <a href="http://10.20.20.174/24">10.20.20.174/24</a> (VM in Virtualbox), kali linux 

     <a href="http://10.20.20.82/24">10.20.20.82/24</a> (VM in Virtualbox) and My komputer 10.20.20.29. 

    </div>

   </div>

   <div dir="auto">

    <br>

   </div>

   <div dir="auto">

    EXTERNAL_NET = any

   </div>

   <div dir="auto">

    <br>

   </div>

   <div dir="auto">

    If i attack 10.20.20.174 with kalilinux 10.20.20.82 ===> Suricata detected

   </div>

   <div dir="auto">

    <br>

   </div>

   <div dir="auto">

    If i attack 10.20.20.29 from kalilinux(10.20.20.82) ===> suricata not detected

   </div>

   <div>

    <br>

    <div class="gmail_quote">

     <div class="gmail_attr" dir="ltr">

      On Thu, 9 Apr 2020 at 01.41 Tiago Faria <

      <a href="mailto:tiago.faria.backups@gmail.com">tiago.faria.backups@gmail.com</a>> wrote:

      <br>

     </div>

     <blockquote>

      <div>

       <div dir="auto">

        Make sure the network definitions are configured properly (what defines your internal network). 

       </div>

      </div>

      <div>

       <br>

       <div class="gmail_quote">

        <div class="gmail_attr" dir="ltr">

         On Wed, 8 Apr 2020 at 08:23, yudhi ardiyanto <

         <a target="_blank" href="mailto:yudhi.ardiyanto@gmail.com" rel="noopener">yudhi.ardiyanto@gmail.com</a>> wrote:

         <br>

        </div>

        <blockquote>

         <div dir="ltr">

          <div>

           Hello Guys

          </div>

          <div>

           <br>

          </div>

          <div>

           <pre dir="ltr" style="text-align: left;" id="m_2133132251479281368m_-7897753230508943934gmail-tw-target-text">why suricata cannot detect attacks from other computers to other computers, but can only detect when someone attacks him</pre>

          </div>

         </div>_______________________________________________

        </blockquote>

       </div>

      </div>

      <div>

       <div class="gmail_quote">

        <blockquote>

         <br>Suricata IDS Users mailing list: 

         <a target="_blank" href="mailto:oisf-users@openinfosecfoundation.org" rel="noopener">oisf-users@openinfosecfoundation.org</a>

         <br>Site: 

         <a target="_blank" href="http://suricata-ids.org" rel="noopener">http://suricata-ids.org</a> | Support: 

         <a target="_blank" href="http://suricata-ids.org/support/" rel="noopener">http://suricata-ids.org/support/</a>

         <br>List: 

         <a target="_blank" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noopener">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>

         <br>

         <br>Conference: 

         <a target="_blank" href="https://suricon.net" rel="noopener">https://suricon.net</a>

         <br>Trainings: 

         <a target="_blank" href="https://suricata-ids.org/training/" rel="noopener">https://suricata-ids.org/training/</a>

        </blockquote>

       </div>

      </div>_______________________________________________

      <br>Suricata IDS Users mailing list: 

      <a target="_blank" href="mailto:oisf-users@openinfosecfoundation.org" rel="noopener">oisf-users@openinfosecfoundation.org</a>

      <br>Site: 

      <a target="_blank" href="http://suricata-ids.org" rel="noopener">http://suricata-ids.org</a> | Support: 

      <a target="_blank" href="http://suricata-ids.org/support/" rel="noopener">http://suricata-ids.org/support/</a>

      <br>List: 

      <a target="_blank" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noopener">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>

      <br>

      <br>Conference: 

      <a target="_blank" href="https://suricon.net" rel="noopener">https://suricon.net</a>

      <br>Trainings: 

      <a target="_blank" href="https://suricata-ids.org/training/" rel="noopener">https://suricata-ids.org/training/</a>

     </blockquote>

    </div>

   </div>_______________________________________________

   <br>Suricata IDS Users mailing list: oisf-users@openinfosecfoundation.org

   <br>Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/

   <br>List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

   <br>

   <br>Conference: https://suricon.net

   <br>Trainings: https://suricata-ids.org/training/

  </blockquote> 

 </body>

</html>