As a project I have a physical firewall (IP: 10.0.0.2) with a SPAN port configured to a physical linux (CentOS 6) (IP: 10.0.0.3) on which I am running Suricata IDS.
Theoretically I should receive all the traffic to the box through an interface I called "span0". I can confirm this by running ifconfig and see traffic. So all good.
When running Suricata as follows: sudo suricata -c /etc/suricata/suricata.yaml -i span0 | I am not getting any errors. Also good.
The question here is how to configure the suricata.yaml file.
- Should I have the HOME_NET on 10.0.0.2 or on 10.0.0.0/8?
Looking forward to hear your feedback, Jan (Honza) Novak
I am not a great IDS setup specialist, but I would suggest that the configuration depends on the network setup.
If the firewall simply broadcasts everything through itself, then you should choose 10.0.0.0/8 to protect the entire network. On the other hand, with this setting, events within the network may go unnoticed.
If NAT is configured, then I would suggest choosing 10.0.0.2 to track possible malicious activity both outside and inside the network.