3 Network Cards for Suricata like IPS

elholo · November 13, 2022, 7:58pm

Hello everyone, I want to set up a network with 1 ubuntu server as a router. This router has 3 network cards:
-enp0s3: 10.0.0.23/24 (to internet)
-enp0s8: 192.168.0.5/24 (to web server, ftp, ssh)
-enp0s9: 172.16.0.0/12 (local network)

I want to use suricata as IPS to protect enp0s8 and enp0s9
Do I just need to put “sudo iptables -I FORWARD -j NFQUEUE”?

And do I just need to put “suricata -c /etc/suricata/suricata.yaml -s /etc/suricata/rules/suricata.rules -q0”?

Some tests with “drop” rules are not working…

Thank you!

Andreas_Herz · November 17, 2022, 10:32am

You can follow this guide 13. Setting up IPS/inline for Linux — Suricata 6.0.8 documentation

Also make sure that the netfilter forwarding is working as expected. You could run -j LOG for some time to test to make sure that the packets you want to monitor are actually going to NFQUEUE.

elholo · November 17, 2022, 6:47pm

Thank you Andreas, I already saw what you say to me.

Topic		Replies	Views
Suricata IDS/IPS IN-Line Help	12	1892	March 1, 2021
Rules for different network interfaces Help	7	1152	April 30, 2022
Interface configuration for inline ips Help	1	515	February 23, 2021
How to configure suricata IPS mode with AF-PACKET? Help ips , community , suricata	1	1310	July 17, 2022
IPS mode on Raspberry Pi configured as Wi-Fi Bridge Help ips	1	744	August 29, 2021

3 Network Cards for Suricata like IPS

Related Topics