Support #3706
closedSuricata don't detect threats to other IP other than his own
Description
Hello,
My suricata config is working fine as in if I start a Nmap scan with Suricata's VM IP address, suricata shows alert but the problem is that it does not show alerts when I do a scan on another Virtual Machine (in the same subnet as my Suricata's VM). Can anyone help me? I've been trying to resolve that issue with no success.
Thanks
Files
Updated by Victor Julien over 4 years ago
- Tracker changed from Bug to Support
- Priority changed from Immediate to Normal
Can you please leave the priority set to normal? Thanks.
Updated by Andreas Herz over 4 years ago
- Status changed from New to Feedback
- Assignee set to Little Yu
Hi,
please stop setting Support Tickets to Immediate priority. Also please provide more details about your setup as requested in other issues created by you or it's rather hard to help you.
Updated by Little Yu over 4 years ago
I'm sorry, not gonna do it again.
I'm on Suricata 4.1.2 version and my suricata.yaml setup is as follow:
HOME_NET : "[192.168.0.0/24]"
EXTERNAL_NET : "!$HOME_NET"
As for rules, I'm using emergingthreats rules that are available with suricata-update so those lines are also not commented in suricata.yaml
default-rule-path: /etc/suricata/rules
rule-files:
-suricata.rules
And when I start Suricata : suricata -c /etc/suricata/suricata.yaml -i enp0s3
It shows that it is working fine and rules are enabled.
As for the alerts, I did a nmap scan on the virtual machine where Suricata (192.168.0.34) is. The alerts show up fine in fast.log but when I do an nmap scan on another virtual machine (192.168.0.39), there's no alert showing up in fast.log
Updated by Andreas Herz over 4 years ago
Did you ensure that the routing/mirroring of the traffic is forwarded to that interface?
If you run tcpdump -nn -vv -i enp0s3 host 192.168.0.39 do you see that traffic?
Updated by Little Yu over 4 years ago
- File tcpdump.JPG tcpdump.JPG added
Andreas Herz wrote in #note-4:
Did you ensure that the routing/mirroring of the traffic is forwarded to that interface?
If you run tcpdump -nn -vv -i enp0s3 host 192.168.0.39 do you see that traffic?
I did not do that, seeing as I'm running both of those virtual machines using VirtualBox, how exactly can I configure port mirroring withtout a switch?
And when I run the command, it shows this:
Updated by Andreas Herz over 4 years ago
I don't know if Virtualbox offers such a functionality but at least from the dump it's rather clear that the traffic you want to monitor is not seen, so that's something you need to fix within your virtual network setup.
Updated by Andreas Herz almost 3 years ago
- Status changed from Feedback to Closed
Hi, we're closing this issue since there have been no further responses.
If you think this issue is still relevant, try to test it again with the
most recent version of suricata and reopen the issue. If you want to
improve the bug report please take a look at
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Reporting_Bugs