[Oisf-users] suricata setup with a passive tap

Victor Julien lists at inliniac.net
Tue Mar 19 16:13:04 UTC 2013


On 03/19/2013 02:28 PM, David wrote:
> I have a question I couldn't find in the archives and I'm hoping it's not silly, heh.
> 
> I built a passive tap (see below for details) to monitor the traffic coming and going from the internet (cable modem) to my router (Apple Airport Extreme).  The tap is setup so that the traffic gets copied to an internal server (batista) where suricata monitors and alerts, strictly being used as an IDS for now.   Basically, here's my traffic flow:
> 
> 
> Internet -> batista:eth2 -> Airport Extreme
> Airport Extreme  -> batista:eth1 -> Internet
> 
> Suricata HOME_NET:
> HOME_NET: "[192.168.0.0/24,xx.xx.xx.xx]"  <- xx = my external IP
> 
> I have suricata setup to listen on both interfaces on batista:
> 
> af-packet:
>   - interface: eth1
>     threads: 1
>     cluster-id: 99
>     cluster-type: cluster_flow
>     defrag: yes
>     use-mmap: yes
>   - interface: eth2
>     threads: 1
>     cluster-id: 98
>     cluster-type: cluster_flow
>     defrag: yes
> 
> So, my question is:  Is this the right kind of setup for suricata to monitor traffic with a passive tap?  I have the ET rules setup and working, I get alerts in my log files and everything *seems* good.  I just want to make sure I'm using suricata correctly (setup and config) before I start asking my next questions.
> 
> passive tap: http://www.yourwarrantyisvoid.com/2011/04/06/homeland-security-build-a-passive-ethernet-tap/
> 
> The reason I'm using a passive tap is I don't want my IDS box to be a point of failure.  If the server goes down, I want traffic to still flow.

Looks good to me.

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list