I’ve setup a suricata node to ingest a packet stream sent from my CCR to the node (using the traffr tool to convert data into something suricata can parse) which is working great.
However, it seems that after a few days the sniffer on the router just turns itself off. The settings remain intact, but the sniffer status moves to disabled and I have to go back in an re-enable it to continue monitoring traffic.
Is this working as intended? Is the sniffer tool not designed for continuous operation? Is there any way to have it run continuously?
This complaint is heard more often. I would say the sniffer is not the intended way to do it, it would also not be running after a boot.
Instead, use an appropriate rule in the /ip firewall mangle table with a “sniff” action.
Thanks for replying.
I wasn’t aware that this is not what the sniffer tool was designed for, but makes sense. I found some blog posts which explained how to set it up using that approach.
So I’ve tried a mangle firewall rule, but I’m not 100% I have that correct, as I’m not seeing any traffic flowing to my node.
I have the following:
chain=forward action=sniff-tzsp sniff-target=192.168.XX.XX
