Single node multiple vlan assign IP's?

Getting Started
#1

Dear,

The rocknsm single node setup i’ve deployed has multiple interfaces for which no IP is assigned. Now i came up with the idea to assign IP to as many interfaces as possible so suricata can detect more of reconnaissance activity and such.

As this is not explicitely mentioned in rocknsm, does it make sense to do so ?

#2

ROCK uses passive network collection.

The collection interfaces are in promiscuous mode so they collect all network traffic. If it had an IP address:

  • You would only collect data for your IP
  • your sensor could be attacked (without an IP address, it cannot be directly targeted)
  • you’d likely need to be in-line with the network, meaning you could cause outages
#3

Thanks for the feedback. I have a hard time getting things to move for getting taps to work etc. This is to me a possible alternative.

  • Reviewing the firewall rules for rocknsm i think they are fine to avoid exposure to attacks.

  • to my knowledge there is no need whatsoever for an IP assigned to be any different from listening. an assigned IP would simply be a bonus as a specific metric