Hi
I´ve just started working with Suricata but I’m having problems getting the WAN packets to the Suricata server…
When running the trafr tool on the server that the packet sniffer is streaming at, I see a lot of lan traffic but no wan traffic.
The same goes for Suricate, it sees the lan traffic put not the wan.
I have no idea where to look for whats causing the wan packets not to be sniffed/streamed, any suggestions on what to do ?
Thank you in advance.
BooX
I am assuming you are using the same guide from tomfisk (http://forum.mikrotik.com/t/suricata-ids-ips-integration-with-mikrotik-now-with-ossec/101160/1) but in his guide, he provided a link to http://robert.penz.name/849/howto-setup-a-mikrotik-routeros-with-suricata-as-ids/ which is what i followed and I am getting WAN traffic, is this the guide you followed?
Hi
Thank you for replying.
Yes this is the guide Im following, and the Suricata part seems to work perfect…
If I ping one of the servers in the “suspicious ip list” from a terminal on the Ubuntu server running Suricata the warnings pops up in the fast.log, but if I do the same from another machine on the lan I don’t see anything.
And looking at the packets that trafr outputs to the screen it’s all lan packets.
I’m running a dual wan setup on the Mikrotik but I don’t really see that this could affect the function of the sniffer ?
BooX
Hey im having same issue cant seem to receive traffic from wan.
anyone has an update on this?
thanks
everytime y try to run the command i allways receive this error.
root@suricata:/etc/suricata# trafr -s | suricata -c /etc/suricata/suricata.yaml -r -
11/5/2021 – 19:40:38 - - [ERRCODE: SC_ERR_INITIALIZATION(45)] - ERROR: Pcap file