I have the following 3 PCs connected to a router via Ethernet:
PC1 – 192.168.1.101 (Linux Ubuntu)
PC2 – 192.168.1.100 (Windows)
PC3 – 192.168.1.1 (Windows)
All PCs can ping each other.
PC1 has Suricata installed in IDS mode. It has a simple ping rule included:
alert icmp any any -> any any (msg:"PING detected"; sid:2; rev:1;)
I launch Suricata be entering the following command in PC1:
suricata -c /etc/suricata/suricata.yaml -i eth3
eth3 is the main Ethernet interface in PC1.
The ping rule is triggered when I ping PC1 from PC2 and PC3, and the appropriate message is recorded in the log file. This rule is also triggered when I ping PC2 and PC3 from PC1.
However, this rule is not triggered when I ping PC2 from PC3 and vice versa. Suricata listens only on eth3 interface in PC1. The traffic doesn’t pass through PC1 when I ping PC2 from PC3, even though all 3 PCs are on the same network.
Is it possible to configure Suricata to monitor the entire network and not only the PC it is installed on?