IDS For Bridged Interface

neel · February 12, 2025, 9:18am

Hello,

I am using suricata 7.0.8 in IDS mode on Oracle Linux 9 installed from oracle repository.
VM where suricata is installed, have multiple interfaces. Out of which, eth0 has IPv4 address. While ETH2 and ETH3 are connected through bridged interface “br_0” - so they won’t have IPv4 address. If I wanted to monitor ETH2 and ETH3 what configuration should I do? Or should I monitor br interface? And if yes, should I use 192.168.0.1 in command line and 192.168.0.1/24 in suricata.yaml HOME_NET?

39: br_0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 02:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 scope global br_0
valid_lft forever preferred_lft forever

Thanks in advance!

Andreas_Herz · February 12, 2025, 9:52pm

You don’t need any IP configured for Suricata if you just want to passively listen.
You can also listen on br0 if needed.

Topic		Replies	Views
$HOME_NET and multiple interfaces, plus deployment best practices Help	3	4519	June 27, 2020
Novice user attempt at setting IPS at Layer 2 between 2 physical interfaces Help	4	919	April 5, 2024
Suricata as IDS and IPS on transpararent mode Help	1	772	February 27, 2023
Suricata IDS/IPS IN-Line Help	13	2562	December 31, 2024
Suricata IPS mode on bridged interface Help ips	4	1014	September 19, 2023

IDS For Bridged Interface

Related topics