$HOME_NET and multiple interfaces, plus deployment best practices

Hello forum!
I’m afraid I’ve got some basic question I can’t wrap my head around, on the subject of $HOME_NET and general traffic flow through Suricata. Hoping you can shed some light on the matter, for a newcomer
I’ve got Suricata running as a daemon on a Linux machine (5.0.3), sitting between edge FW and application proxies.
Suppose we’ve got setup as presented in the picture.

Suricata question960×720 41.2 KB

I’m mostly concerned with monitoring incoming traffic - let’s assume Srv01-03 are just web servers, i.e. there’ll be significantly more remotely originated traffic going into the environment, than local requests going out.

1. If I configure Suricata to listen on eth0 on server IDS01, then the only IP addresses this interface will ever see are 172.16.16.1 and 172.16.16.2. In that case, HOME_NET = 172.16.16.2/32, right?
2. If I configure Suricata to listen on eth1 on server IDS01, then the only IP addresses this interface will ever see are 192.168.1.1 and 192.168.1.2. In that case, HOME_NET = 192.168.1.2/32, right?
3. If I want to monitor both eth1 and eth2 on IDS01 and those networks “trust”, each other, I could set HOME_NET = 192.168.1.2/32,192.168.2.2/32
4. If I want to monitor both eth1 and eth0 on IDS01 but these networks don’t trust each other, i.e. traffic from 192.168.2.0/24 into 192.168.1.0/24 should be treated as external / suspicious and vice-versa, what to put as HOME_NET?
5. If I wanted to monitor eth0, eth1 and eth2 on IDS01, what would be the best practices / tools to assemble traffic flows between the interfaces, for monitoring / troubleshooting purposes?
6. Would it even make sense to monitor eth0 in that case or would that just result in duplication of alerts?
7. Are the obvious flaws in this setup, on top of the fact, that the Suricata sees just traffic between 2 IP addresses, instead of real target hosts?

Regards,
Mike

In general HOME_NET is seen as Internal traffic, so everything that you would see as internal should be included as it matters on the rules.

But in your example, if a connection to 8.8.8.8 would be initiated I would expect that you see on IDS01 ETH0 a flow with src IP 172.16.16.2 (if that’s the NAT IP) but dst IP still 8.8.8.8 although it’s forwarded to 172.16.16.1 as the next hop?

Good point @Andreas_Herz
I was kind of incoming-traffic-focused, but forgot to mention that in the original post - now amended.

For outgoing traffic, the settings seems pretty straightforward, HOME_NET= 192.168.[12].0/24 and monitoring of eth1 & eth2 on IDS01 should cover us nicely.
What about tracking and monitoring incoming traffic, though?

With those variables you don’t distinguish between incoming and outgoing rather with internal and external. So you add all your internal IPs and Networks to HOME_NET and EXTERNAL_NET is just the counterpart to it thus often !HOME_NET.