[Oisf-users] How to deploy suricata

Oliver Humpage oliver at watershed.co.uk
Sat Jul 28 22:10:25 UTC 2018


> On 28 Jul 2018, at 08:48, Utkarsh Bhargava <utkarsh at null.co.in> wrote:
> 
> How to monitor the entire network ( 120 nodes ) using suricata ? Do I need to install suricata on each device or there's something like suricata agents as we have in OSSEC ?

You probably have two options.

1. If you don’t want suricata running on every host, you could run it on a router/firewall that sits at the boundary of the network instead. This wouldn’t protect hosts from each other, but would simplify the installation.

2. If you want host-based protection then yes, you need to install suricata on every host. There’s no other way it can work, since suricata needs to inspect network traffic, and you can’t forward the traffic from 120 hosts to a central server! However, you can centralise the logging of alerts, much as you do with ossec. Suricata can output in various formats, and you can send those logs/alerts to your central logging system such as an ELK stack, etc.

Hope that helps,

Oliver.


More information about the Oisf-users mailing list