Architecture help


I have a /29 assigned to me from my provider and that is connected to my router. I am looking to setup a VM with Suricata and connect it inline with my /29 and my router. That way I can secure everything coming in and out of my network. I already have a router, I dont want to replace it just have Suricata monitor and/or block traffic before it reaches my router.

I am thinking of of creating a CentOS 8 VM with 4VCPU’s, 8GB of memory, 500GB HDD, and two NIC’s one for management and the other on promiscuous mode. Then configure VM to mirror all traffic from the WAN interface of the router.

Would this be the recommended setup or is there a better way of doing this?

If you are just going to provide a mirror of the traffic, Suricata won’t be able to block anything, just alert. If you want to block you’ll want to figure out a way to get inline. I know of 2 ways to do this:

  • Bridge moded, where you using Suricata to bridge 2 network interfaces. This is somewhat like creating an ethernet bridge, but Suricata is inline and can drop as needed.
  • Using NFQUEUE, but typically you’d run this on a Linux machine that is already inline somehow, like being a router already.

Personally I don’t use either. One setup I do use is mirror the port on my switch that connects to the internal interface on my router, I then mirror that to another box internally that runs Suricata in IDS mode.

1 Like

Hi there,

I have a setup with Suricata in IPS mode but it’s running in a FreeBSD router (one external interface and multiple internal interfaces). This way you’ll be able to redirect (in my case via IPFW) your traffic to Suricata inspects and alert or drop a specific threat.

With setup you’ve described, you’ll just be able to inspect the traffic but not apply any drop action.