[Oisf-users] Place to install Suricata

Christophe Vandeplas christophe at vandeplas.com
Mon May 18 08:46:06 UTC 2015 

On 14 May 2015 at 15:06, minh van <mvtrung27 at gmail.com> wrote:
> Hello,
>
> I think the fortigate is not enough strong in alert, analyse, APT...  and
> also monitoring.
> If i am wrong please point me the right direction.

If you're interested in APT things, I would propose another topology
than what Peter proposed.
Rovnov has a point that you already have a FortiGate that has some IDS
functionality.

I would recommend to use that functionality to your advantage, and
eliminate a LOT of the incoming traffic/noise.
>From my experience detecting APTs is usually done by finding outbound
traffic (CnC), and traffic attacking your DMZ systems (published
services). So the less noise the better, and the more time you can
spend to do manual analysis of the alerts you will be getting.

My recommendation is to put suricata on a span port mirroring traffic
on the core switch.
However an important question is where your DMZs are. If all your
VLANs (if you have some) is flowing trough your firewall over a trunk.
Then mirror the port going to the firewall. You'll have a lot of
interesting traffic over there.

If you have LOTS of performance on the hardware suricata runs, then
mirror the ports from the LAN clients + from the ESX servers. (if
possible)

Kind regards
Christophe



> ________________________________
> From: Rovnov Pavel
> Sent: ‎5/‎14/‎2015 5:00 PM
> To: Minh Trung
> Cc: oisf-users at lists.openinfosecfoundation.org
> Subject: RE: [Oisf-users] Place to install Suricata
>
> Hello Minh,
>
>
>
> Why don’t you use FortiGate? For what specific purpose do you need Suricata?
>
>
>
> Regards,
>
>
>
> Pavel
>
>
>
> From: oisf-users-bounces at lists.openinfosecfoundation.org
> [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of
> Minh Trung
> Sent: Thursday, May 14, 2015 11:07 AM
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: [Oisf-users] Place to install Suricata
>
>
>
> Hi experts,
>
> My network as below:
>
>
> Internet line
>
>            |
> |
>
> Router
> |
> |
> Switch(Cisco 2960)
> |
> |
>        VPN 1 line <------+--------- Firewalls(Fortinet) -------+-------->
> VPN 2 line
>
> |
> |
> Core switches
> |             |
> |             |
>                         LAN       VMware system(ESX)
>
>
>
> Is this possible to place Suricata on vmware ? which spec i need to
> configuration for this machine? I want to capture all from Internet line,
> how to
> configuration Suricata  to listen everything on Router, how configuration
> router look like?
> Any help is appreciated,
>
> Regards,
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net

More information about the Oisf-users mailing list