{"id":224,"date":"2025-11-13T06:22:36","date_gmt":"2025-11-13T06:22:36","guid":{"rendered":"http:\/\/www.kristedal.se\/?p=224"},"modified":"2026-02-27T17:22:24","modified_gmt":"2026-02-27T16:22:24","slug":"%f0%9f%94%92-suricata-pa-raspberry-pi-5-speglad-wan-trafik-med-zyxel-switch","status":"publish","type":"post","link":"https:\/\/www.kristedal.se\/?p=224","title":{"rendered":"\ud83d\udd12 Suricata p\u00e5 Raspberry Pi 5 \u2013 speglad WAN-trafik med Zyxel-switch"},"content":{"rendered":"\n<p>Att \u00f6vervaka sin egen internettrafik hemma kan ge b\u00e5de b\u00e4ttre s\u00e4kerhet och insikt i hur n\u00e4tet faktiskt anv\u00e4nds. I den h\u00e4r artikeln beskriver jag hur jag satte upp Suricata p\u00e5 en Raspberry Pi 5 bakom min router, med en Zyxel-switch som speglar all trafik p\u00e5 WAN-porten. Det ger ett kraftfullt, passivt IDS-system \u2013 utan att p\u00e5verka hastigheten p\u00e5 sj\u00e4lva n\u00e4tet.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"768\" src=\"http:\/\/www.kristedal.se\/wp-content\/uploads\/2025\/11\/20251114_193156a-1024x768.jpg\" alt=\"\" class=\"wp-image-331\" style=\"width:465px;height:auto\" srcset=\"https:\/\/www.kristedal.se\/wp-content\/uploads\/2025\/11\/20251114_193156a-1024x768.jpg 1024w, https:\/\/www.kristedal.se\/wp-content\/uploads\/2025\/11\/20251114_193156a-300x225.jpg 300w, https:\/\/www.kristedal.se\/wp-content\/uploads\/2025\/11\/20251114_193156a-768x576.jpg 768w, https:\/\/www.kristedal.se\/wp-content\/uploads\/2025\/11\/20251114_193156a-1536x1152.jpg 1536w, https:\/\/www.kristedal.se\/wp-content\/uploads\/2025\/11\/20251114_193156a-2048x1536.jpg 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Varf\u00f6r Suricata?<\/h2>\n\n\n\n<p>Suricata \u00e4r en snabb och \u00f6ppen IDS\/IPS-motor som analyserar trafik i realtid. Den k\u00e4nner igen angrepp, s\u00e5rbarheter, portskanningar och anomalier. Med en Raspberry Pi 5 i passivt l\u00e4ge f\u00e5r man seri\u00f6s \u00f6vervakning utan att riskera avbrott.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">N\u00e4tverkstopologi<\/h2>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"508\" height=\"435\" src=\"http:\/\/www.kristedal.se\/wp-content\/uploads\/2025\/11\/Screenshot_20251115_111922.png\" alt=\"\" class=\"wp-image-339\" srcset=\"https:\/\/www.kristedal.se\/wp-content\/uploads\/2025\/11\/Screenshot_20251115_111922.png 508w, https:\/\/www.kristedal.se\/wp-content\/uploads\/2025\/11\/Screenshot_20251115_111922-300x257.png 300w\" sizes=\"auto, (max-width: 508px) 100vw, 508px\" \/><\/figure>\n\n\n\n<p>\u2022 Zyxel-switchen speglar trafik fr\u00e5n WAN-porten till en vald port.<br>\u2022 Raspberry Pi 5 lyssnar passivt p\u00e5 eth0 \u2013 ingen IP beh\u00f6vs d\u00e4r.<br>\u2022 Administration (SSH, EveBox m.m.) sker via Pi:ns wlan0 eller USB-ethernet.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Installation av Suricata<\/h2>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Uppdatera systemet: \n<ul class=\"wp-block-list\">\n<li>sudo apt update &amp;&amp; sudo apt full-upgrade -y<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Installera Suricata: sudo apt install suricata -y<\/li>\n\n\n\n<li>Konfigurera af-packet: af-packet:<br>\u2003\u2003 &#8211; interface: eth0<br>\u2003\u2003 threads: auto<br>\u2003\u2003 copy-mode: tap<br>\u2003\u2003 cluster-type: cluster_flow<\/li>\n\n\n\n<li>Starta Suricata i IDS-l\u00e4ge: \n<ul class=\"wp-block-list\">\n<li>sudo suricata -c \/etc\/suricata\/suricata.yaml -i eth0 -v<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Starta EveBox f\u00f6r att se larm: \n<ul class=\"wp-block-list\">\n<li>evebox server -D ~\/evebox-data &#8211;no-auth \/var\/log\/suricata\/eve.json \u00d6ppna d\u00e4refter http:\/\/&lt;pi-ip&gt;:5636\/#\/events i webbl\u00e4saren.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p>F\u00f6rdelar<\/p>\n\n\n\n<p>\u2705 Passiv \u00f6vervakning \u2013 ingen p\u00e5verkan p\u00e5 n\u00e4tverkets prestanda.<br>\u2705 Full insyn i all in- och utg\u00e5ende trafik via ISP-l\u00e4nken.<br>\u2705 L\u00e5ga kostnader \u2013 en Pi 5, ett micro-SD och en billig switch r\u00e4cker.<br>\u2705 Utbyggbart \u2013 kan kompletteras med t.ex. Elastic Stack, Grafana eller notifieringar via syslog\/Telegram.<br>\u2705 Ingen risk f\u00f6r avbrott \u2013 \u00e4ven om Pi:n d\u00f6r forts\u00e4tter n\u00e4tet att fungera som vanligt.<\/p>\n\n\n\n<p>Nackdelar<\/p>\n\n\n\n<p>\u26a0\ufe0f Spegling visar hela ISP-segmentet. Du kan se trafik till n\u00e4rliggande IP-adresser i samma subn\u00e4t, inte bara din egen, vilket kan ge falska larm.<br>\u26a0\ufe0f Ingen aktiv blockering. I denna topologi fungerar Suricata som IDS, inte IPS. F\u00f6r att blockera kr\u00e4vs att Pi:n ligger inline mellan router och fiberbox \u2013 men d\u00e5 m\u00e5ste du hantera routing och fail-safe-fr\u00e5gor.<br>\u26a0\ufe0f Stor loggvolym. eve.json v\u00e4xer snabbt; anv\u00e4nd rotering eller skriv till extern USB-disk.<br>\u26a0\ufe0f Kr\u00e4ver viss n\u00e4tverksf\u00f6rst\u00e5else. Fel konfigurerad mirror-port eller IP p\u00e5 fel gr\u00e4nssnitt kan st\u00f6ra n\u00e4tet.<\/p>\n\n\n\n<p>Slutsats<\/p>\n\n\n\n<p>Att spegla WAN-trafiken till en Raspberry Pi 5 med Suricata \u00e4r en enkel v\u00e4g till avancerad n\u00e4tverks\u00f6vervakning i hemmet.<br>Det \u00e4r ett s\u00e4kert, passivt och fullt reversibelt uppl\u00e4gg: dra ur kabeln, s\u00e5 \u00e4r allt som vanligt. F\u00f6r den som vill l\u00e4ra sig mer om n\u00e4tverkss\u00e4kerhet i praktiken \u00e4r detta en av de mest pedagogiska och nyttiga hemlabs-\u00f6vningarna man kan g\u00f6ra.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Att \u00f6vervaka sin egen internettrafik hemma kan ge b\u00e5de b\u00e4ttre s\u00e4kerhet och insikt i hur n\u00e4tet faktiskt anv\u00e4nds. I den h\u00e4r artikeln beskriver jag hur jag satte upp Suricata p\u00e5 en Raspberry Pi 5 bakom min router, med en Zyxel-switch som speglar all trafik p\u00e5 WAN-porten. Det ger ett kraftfullt, passivt IDS-system \u2013 utan att [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":334,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-224","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teknik"],"_links":{"self":[{"href":"https:\/\/www.kristedal.se\/index.php?rest_route=\/wp\/v2\/posts\/224","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kristedal.se\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kristedal.se\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kristedal.se\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kristedal.se\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=224"}],"version-history":[{"count":3,"href":"https:\/\/www.kristedal.se\/index.php?rest_route=\/wp\/v2\/posts\/224\/revisions"}],"predecessor-version":[{"id":340,"href":"https:\/\/www.kristedal.se\/index.php?rest_route=\/wp\/v2\/posts\/224\/revisions\/340"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kristedal.se\/index.php?rest_route=\/wp\/v2\/media\/334"}],"wp:attachment":[{"href":"https:\/\/www.kristedal.se\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=224"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kristedal.se\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=224"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kristedal.se\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=224"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}