If suricata work in IPS,there is no need to start another suricata in IDS。is it?
I believe those are two different concepts/deployments. IPS sits inline and blocks. IDS is passive monitoring/threat detection but can give a lot more context as well. It is non intrusive and be used for other stuff (in case of Suricata - NTA,NSM, compliance monitoring, anomaly detection ) as it can produce a lot of extra protocol data and logs. I think ultimately both are needed.
If I run two suricata in one computer,IPS and IDS。
First question:
suricata(IPS) need iptables and NFQUEUE ,suricata(IDS) can also deal with network communication?or suricata(IDS) work before IP tables?
Second question:
two suricata in one computer use same log-file?need we to offer two di’fferent log-file ?
thank you before
Don’t believe that will work.
run two suricata in one computer can’t work?
Yes you can. Make sure to not have them write to the same file(s) through. Best to use different output directories.
OK,thank you . 