Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            NIDS - Configuration ( SIEM )

            Created by Jaseem Masood, Modified on Fri, 13 Jun at 5:39 PM by Jaseem Masood

            The Network-based Intrusion Detection System (NIDS) tab within the SIEM configuration module allows you to configure and manage network-level threat detection throughout your infrastructure.


            Prerequisite for NIDS: 


            Requirement is a physical Ubuntu machine with port mirroring data by physical link.

            It should mirror ports or VLANs that carry traffic you want to inspect, typically:


            1. Uplink Ports / Trunk Ports

            • These are the best candidates.
            • Why: They carry aggregated traffic to and from access/distribution switches or between core and edge routers.
            • Example: If Port 1/1 on your core switch is connected to your firewall, or to another switch/router, mirroring this port will give Suricata visibility into that flow.

            2. VLAN or SVI Traffic (if supported)

            • If your switch supports VLAN-based SPAN (vSPAN or RSPAN), mirror the VLAN that handles inter-VLAN or internet-bound traffic.
            • Example: Mirror VLAN 10 (user subnet) or VLAN 99 (internet-facing subnet).

            3. Firewall-facing Port

            • If the core switch connects directly to the firewall, mirroring the firewall port will allow Suricata to see all ingress/egress traffic.

            In ceburu Portal:

            • Go to Settings > Configurations > SIEM

            • Click on the NIDS tab 



            To set up NIDS monitoring:

            1. Click the “Add Configuration” button.



            Important Requirements:

            • Only Linux machines (preferably Ubuntu) will be shown.

            • The Linux machine must be joined to Active Directory (AD).

            • The Linux machine must also be under monitoring within the platform.



            Once eligible systems are detected:

            1. Select the Linux host.

            2. Complete the configuration.

            3. Save the settings.


            The system will then begin monitoring network traffic from the configured host.

            After a Linux machine is successfully configured as a NIDS, it will appear in the table with the following columns:


            ColumnDescription
            NOSerial number
            HOST NAMEName of the configured host
            HOST IPIP address of the sensor
            OSOperating System (Linux)
            STATUSStatus icon (? for active)
            INSTALL STATUSSensor installation success indicator
            INSTALL REPORTView additional installation info
            ACTIONOptions to Edit or Delete



            Edit Configuration:

            • Click the pencil/edit icon under the Action column.



            • You can change the assigned host to another eligible Linux machine.
            • And click on update. 


            Deleting Configuration:

            • Click the delete icon in the Action column to remove the NIDS configuration.




            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0