Configuration in the Flowmon User Interface

This section contains a description of the basic settings that you can configure directly in the Flowmon user interface. For more advanced tuning of the Suricata IDS system (for example, false positive tuning or Suricata rules management), continue to the Configuration in the command line section.

The settings can be found in the Flowmon Configuration Center, under the section Monitoring Ports (in the left menu). On this page, it is possible to set the global settings for all interfaces or configure individual interfaces by selecting the IDS probe tab in the respective section. The global settings are always applied to all interfaces that do not have an individual configuration set.

By default, the Suricata IDS monitoring is disabled for all monitoring interfaces, so you must explicitly enable it for interfaces where the monitoring should be performed. You can do this by enabling the Enabled toggle under the IDS probe tab for each monitoring interface.

As mentioned above, it is possible to set the individual configuration for each interface when the global setting is not convenient for some reason. You can enable this using the Use custom settings toggle. If this toggle is enabled, two more options are displayed - Filter and Packet count.

The first option called Filter can be used to enable packet filtering and specify which packets should be processed by the Suricata IDS. The filter can contain more than one filtering rule - in this case, you must enter one rule per each line. If more rules are provided, the logical conjunction or is inserted between rules (at least one rule has to be satisfied to pass the packet for processing). For filtering packets, two types of filtering rules can be used and their syntax is as follows:

ip <ipv4_address>|<ipv6_address>

net <ipv4_address>|<ipv6_address>/<subnet>

You can use the first type (ip) to specify the source or destination IP address that should be present in the packet header. For example, if you have ip 1.1.1.1, only flows with 1.1.1.1 as a source or destination IP address are processed. It supports both IPv4 and IPv6 addresses. It is also possible to specify the entire address range with the second filter type (net). The value of this filter should be valid IPv4 or IPv6 address range in the CIDR notation. As in the previous case, the IP range is applied to both - source or destination IP address.

As mentioned in the Suricata IDS Configuration and Tuning section, only the first N packets from each session (per bi-flow) are passed to the Suricata IDS system for inspection. You can adjust this value by using the Packet count option. By default, this value is set to 10 packets (that is, 5 packets from both directions). The value can be in the range of 3-100 packets.

In the following screenshot, you can see the configuration of the IDS probe in the Flowmon Configuration Center:

Detected IDS events are sent using Syslog:

• To all servers defined in Syslog event logging settings (Flowmon Configuration Center > System > System settings). Selecting or deselecting any of "Configure Syslog Message" groups does not affect the IDS Probe.

• Directly to IDS Collector in the Flowmon ADS module if installed on the same machine.

Detected events are stored in the /data/idsp/outputs/eve.json file. The json file is processed by syslog-ng according to the configuration file /etc/syslog-ng/conf.d/idsp.conf. In the idsp.conf, you can configure sending of events using syslog manually.

You can start or stop the IDS Probe using the Flowmon Configuration Center (Versions > IDS Probe - Stop/Start).