In most organizations, east-west traffic is the network surface that gets the least visibility yet carries the most risk. Because services in the same data center talk to each other, the assumption that “internal traffic is safe” quietly takes hold. Yet lateral movement, mistakenly exposed management ports, or unexpected dependencies often hide right within this corridor. Suricata gives you a practical starting point to make that flow visible without redesigning the whole network.
Which usage model are we targeting?
In this guide I’ll cover passive profiling rather than inline blocking. The objectives are:
- Listening to internal traffic copied via SPAN or mirror port
- Collecting flow summaries through EVE JSON output
- Seeing the most chatty service pairs and port distribution
- Preparing the ground for later policy tightening if needed
This model is especially valuable for understanding existing behavior before zero-trust or microsegmentation efforts.
Installing Suricata
On an Ubuntu-based sensor node, the basic installation looks like this:
sudo apt update
sudo apt install -y suricata jq
sudo systemctl stop suricataNext, you need to clarify the listening interface and JSON output. Depending on the distribution package, the main file is usually /etc/suricata/suricata.yaml.
Critical configuration sections
For profiling, the following settings provide a sufficient baseline:
af-packet:
- interface: ens224
cluster-id: 99
cluster-type: cluster_flow
defrag: yes
outputs:
- eve-log:
enabled: yes
filetype: regular
filename: /var/log/suricata/eve.json
types:
- flow
- dns
- http
- tlsThe flow output gives you the talking endpoints and volume, while dns/http/tls outputs give you basic protocol context. In the early phase, it’s wiser to stay visibility-focused rather than loading aggressive rule sets.
Starting the service and live verification
After configuration:
sudo suricata -T -c /etc/suricata/suricata.yaml
sudo systemctl enable --now suricata
sudo tail -f /var/log/suricata/eve.jsonThe -T test is especially important; the service might silently fail to start due to a wrong interface name or broken YAML.
Quick profiling queries
To extract the busiest flows from the EVE JSON file, jq is enough:
jq -r '
select(.event_type=="flow") |
[.src_ip, .dest_ip, .proto, .dest_port] | @tsv
' /var/log/suricata/eve.json | sort | uniq -c | sort -nr | headSimilarly, to find unexpected management ports:
jq -r '
select(.event_type=="flow") |
.dest_port
' /var/log/suricata/eve.json | sort -n | uniq -c | sort -nr | head -20These queries don’t replace a full security analysis but produce an initial behavior map. They’re particularly useful for catching undocumented dependencies.
Operational considerations
- Verify with
tcpdumpfirst that mirror traffic actually reaches the sensor. - Set up log rotation for disk growth on high-volume backbone links.
- Flow correlation breaks if time synchronization isn’t right.
- If the same traffic hits multiple sensors, counts can be inflated.
It’s generally safer to place the Suricata sensor at a separate observation point rather than on top of a production system.
What might come next?
Once the profile is visible, depending on the organization’s maturity, these steps are valuable:
- Opening a review queue for unexpected flows
- Tightening Cilium, firewall, or ACL policies based on this observation
- Establishing a baseline for critical service pairs
- Comparing traffic deviation against the normal profile during incidents
This way Suricata becomes more than just an IDS tool; it turns into a network observability component for the organization.
Conclusion
East-west traffic profiling with Suricata is a low-friction step toward making the dark side of the internal network visible. Through passive monitoring, clean JSON output, and simple analysis commands, you produce concrete data about what each service is doing. That, in turn, gives a much stronger foundation for security hardening, segmentation, and incident triage.