[Oisf-users] How to deploy suricata

Chris Boley ilgtech75 at gmail.com
Thu Aug 2 15:21:21 UTC 2018 

Hi Utkarsh, I can't take credit for syntax you'll see below. Some other
really brilliant guy posted this method on Sept 9th 2017 if you want to go
fishing in the archives:
To grab pcaps from a device and ship to a suricata server that can analyze
said pcaps.. this might be one way..

Post name:  Suricata "bogus savefile header" error message
Sep 9, 2017

Basic thought behind this is:
Capture pcaps and ship/transfer them from the perimeter firewall/router to
the suricata instance over SSH with:

tcpdump -nn -i br0 -F tcpdumpfilter -w - | ssh -T user at x.x.x.x "cat ->
/home/user/somedirectory/br0-remote.pcap"

and then on the suricata server--      run:

sudo suricata -c /etc/suricata/suricata.yaml -r
/home/user/somedirectory/br0-remote.pcap

This would take massive amounts of server memory/storage and compute to run
120 PCAPS simultaneously...
I'm not entirely sure it's realistic ;) I'm just giving you a frame of
reference...

If you figure out a way to do this, I tip my hat to you sir and would love
to hear about how you made it happen! I'm thinking KVM based V-guests or
docker containers running multiple suricatas on 4 or 5 huge servers....
Sorry thinking out loud.. I digress..

Where the logging is concerned, well, I already suggested that you can use
OWLH.. or you could simply ship everything back to a SEIM via syslog with
custom log triggers that would email you upon receiving specific alert
keywords in the logging etc..


I hope I've helped more than I've caused confusion..
Best,
CB


On Thu, Aug 2, 2018 at 1:38 AM Utkarsh Bhargava <utkarsh at null.co.in> wrote:

> Hi Chris,
>
> Thank you for your response.
>
> I wanted to do full packet capture of all those 120 nodes, Along with that
> I also want to aggregate the logs for all 120 nodes.
>
>
> Regards
>
> Utkarsh
>
> On Thursday 02 August 2018 04:16 AM, Chris Boley wrote:
>
> Utkarsh, upon re-reading your question, I realized that I may have
> misunderstood your question. Are you asking how to position a sensor to
> monitor 120 endpoints? Or are you asking how to aggregate logging from 120
> sensors?
>
> On Wed, Aug 1, 2018 at 6:38 PM Chris Boley <ilgtech75 at gmail.com> wrote:
>
>> look up OwlH, they’ve created an integration package to put on your
>> suricata sensor and ship the logs to OSSEC / WAZUH.
>>
>> Chris
>>
>> On Mon, Jul 30, 2018 at 4:11 PM Cooper F. Nelson <cnelson at ucsd.edu>
>> wrote:
>>
>>> If you are a Cisco shop you should check out ERSPAN:
>>>
>>> https://packetpushers.net/erspan-new-favorite-packet-capturing-trick/
>>>
>>> -Coop
>>>
>>> On 7/28/2018 12:48 AM, Utkarsh Bhargava wrote:
>>> > Hi All,
>>> >
>>> > How to monitor the entire network ( 120 nodes ) using suricata ? Do I
>>> > need to install suricata on each device or there's something like
>>> > suricata agents as we have in OSSEC ?
>>> >
>>> > Please help me !
>>> >
>>> >
>>> > Regards
>>> >
>>> >
>>> > _______________________________________________
>>> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> > Site: http://suricata-ids.org | Support:
>>> http://suricata-ids.org/support/
>>> > List:
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> >
>>> > Conference: https://suricon.net
>>> > Trainings: https://suricata-ids.org/training/
>>>
>>> --
>>> Cooper Nelson
>>> Network Security Analyst
>>> UCSD ITS Security Team
>>> cnelson at ucsd.edu x41042
>>>
>>>
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support:
>>> http://suricata-ids.org/support/
>>> List:
>>> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>
>>> Conference: https://suricon.net
>>> Trainings: https://suricata-ids.org/training/
>>
>>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20180802/ecc78693/attachment.html>

More information about the Oisf-users mailing list