[Oisf-users] Suricata doesn't alert

Dave Killion dave.killion at gmail.com
Mon Sep 23 06:11:42 UTC 2019


The switch is doing what switches do - it has learned which interface the
different computers are connected to and sends the ICMP packet for C only
to the port C is connected to, and doesn't send a packet to the port B is
connected to - in a normal switched environment, B will only get packets
destined to B at the Layer 2 level.

In order for B to monitor all packets on the LAN, you need to configure B's
switch port for "monitor mode" or "span port mode" - this usually requires
a more expensive switch that can be managed remotely, and not a simple
switch that has no management UI.

Another idea, more affordable, but also more crude, is to use a hub/bridge
instead of a switch - this way, everyone gets a copy of everyone's packet.
This will reduce the effective bandwidth on your LAN, but if most devices
are going to/from the Internet, you won't notice it overmuch.  Bridges are
more hard to find these days, especially at higher speeds.

On Sun, Sep 22, 2019 at 10:33 PM Tuấn Ngọc Trần Lê <tranletuanngoc at gmail.com>

> Hello,
> I wrote a rule for Suricata to detect ICMP connection and have it loaded.
> alert icmp $HOME_NET any -> $HOME_NET any (msg:"ICMP connection attempt";
> sid:1000002; rev:1;)
> It works fine when I try to ping from a computer in the network  (A) to
> the one running Suricata (B).
> However, when I ping from (A) to another computer (C), (B) doesn't detect
> and alert.
> (A), (B) and (C) are being connected to a switch.
> Please help me.
> Thank you,
> Ngoc Tran (Frank)
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/

Dave Killion
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20190922/2bf47079/attachment.html>

More information about the Oisf-users mailing list