I would like to spin up an instance of Suricata on my home network. I’ve been thinking about a few places I could put it. 1 is on my bastion host. It would be hosted inline, on the internal-facing interface. Another option would be a physical host connected to a span port on a switch. Lastly, I could stand up a VM, and pass through a Ethernet card that is span’d. What would be the best option?
On my home network I have a Linux firewall/router as my gateway, where the external interface connects to my ISP and my internal interface is my home NAT’d network. I run Suricata on this machine, on the internal interface so when I do get alerts, I see the internal addresses, and it also reduces all the noise that is seen on the external interface that would get dropped by the firewall anyways.
I have another machine that sees the same traffic, but on a span port on my switch. So both scenarios work fine. On this machine I do sometimes use KVM passthrough networking and it seems to work fine as well. For me the important part is to be monitoring on the inside of my firewall as the events have more meaning then.