I am working to setup IDS + source IP blocking on a VPS with a single interface. I have previously used PSAD, and it was easy to configure it to block source IPs (using iptables), send email alerts, etc. I’d like to use Suricata in a similar way, but it seems that you need to route all your traffic through suricata (NFQueue mode). Does anyone know of a simple config with Suricata in monitoring mode (e.g. af-packet mode instead of the in-line NFQueue mode) that allows building up blocklists of offending IPs, and actively blocking those IPs with iptables rules, etc.? It seems you have to route all your traffic through suricata as an active filter in IPS mode if you want this. I just want Suricata listening to the network port and blocking offenders from accessing my server in the future by adding new iptables DROP rules–Is there an easy way to do this with Suricata? Maybe I’ve just missed a basic config option.
Am I trying to do something that no one else does? Am I just thinking about this in a strange way?
Is the best/only way to block source IPs that engage in suspicious interactions with Suricata (without writing a script/app that processes Suricata log/socket output) to put Suricata inline with all incoming traffic?
Have you had a look at 13. Setting up IPS/inline for Linux — Suricata 7.0.0-dev documentation, specifically “scenario 2”?