current config - cable modem-router-suricata(linux-selks- AF_PACKET IPS mode)-switch…this seems to be working …however i would prefer suricata to be infront of the router…like **cablemodem-suricata-router-switch **…i kinda got it working by configuring the linux box as a router…how ever that introduced alot of complexities with double natting…is there another option to placing suricata in front of my router?
my current config with the linux box connected between my router and switch, the only way i could get it to work was to create bridge with the nics…the documentation for AF_packt ips indicate…“you just need the interfaces to be up” i tried using iface enp2s0 inet manual type setting for both nic and it wouldnt work…so im unsure how the copy mode works…does it mean the linux box is essentually invisible and packets will flow thru it like it was a wire…lol…
to answer part of my question…“setting up bridge is not needed”…i had conflicting settings in my etc/network/interfaces and etc/network/interfaces.d(interfacename)…i used the file in interfaces.d entered both adaptors…and it appear to be working inline with out bridge…i will try putting suricata infront router and see if it functions…