Hello, I am a new user to Qubes OS. I am looking to set up Suricata on my computer but have not found much guidance or discussion online. Having fumbled around for a few days in vain, could anyone in the community share how to configure it?
My purposes:
- Detect and block suspicious network traffic of the entire computer
- Store persistent logs of the suspicious network traffic (attempt) for future inspection
What I have tried so far and the issues:
- Set up a standalone VM but could not even install Suricata somehow.
- As templates seem to offer full persistence according to the documentations, I figured installing Suricata on a template might achieve persistence the same. Succeeded in installing Suricata and the rules, but Suricata failed to run. Inspected the logs, I figured there might be something to do with the ethernet interface (could not identify the interface name, e.g. eth0). When I ran “ip addr”, only “1o” showed up but no “etho0” - is it because by OS design sys-net is the ethernet interface? If so, what should I set as the monitoring interface in Suricata?
- While I have not been able to get Suricata ready yet, I foresee another question later - How should I arrange the order of network flow? Should it be like sys-net << sys-firewall << Suricata (template) << App VM?
I hope my description above is not too chaotic. Really appreciate your help!