I’m new to the IDS/IPS field and have been exploring Suricata in a virtual environment. So far, I’ve successfully set it up on an Ubuntu VM and simulated attacks from another Ubuntu VM, which worked well.
Now, I’d love to take it a step further and deploy Suricata in my organization. Our network setup consists of two internet providers, both connecting to a Sophos firewall, which then routes traffic to the users. My main goal is to monitor inbound and outbound traffic on the firewall to analyze potential threats coming from the internet.
Since we don’t have any on-prem servers—only AWS cloud instances—I’d like to know if it’s possible to install Suricata on an AWS instance and use it to monitor our firewall. If so, what would be the best way to achieve this? Are there any configurations or network setups I should consider?
As IDS/IPS is a new area for me (I’ve mostly worked in vulnerability management and EDR), I’d really appreciate any guidance, documentation, or reference materials that could help me get started.
Looking forward to your insights—thanks in advance!
Is the firewall on-prem?
To make this work you would have to send a copy of your network traffic to the AWS cloud instance where you’re running Suricata. I highly doubt that this makes sense.
If you want IDS mode, see if the Sophos firewall provides a mirror port or so to send a copy of traffic to a Suricata instance or add a switch that provides that feature. Other options would be a tap.
In IPS mode you want to have it running either between the Sophos and the two uplinks or between the Sophos and your internal network. In that case it would also make more sense to have it also on-prem if the Sophos is on -prem.
Yes, the Sophos firewall is on-prem. Based on your explanation, it seems that deploying Suricata in IDS/IPS mode is best suited for an on-prem setup rather than a cloud instance, especially since forwarding mirrored traffic from the on-prem firewall to AWS is not a recommended approach.
My primary goal is to prevent data exfiltration. Given this, would you recommend setting up Suricata in IDS mode using a mirror port on the Sophos firewall or an additional switch? Or would an inline IPS deployment between the firewall and internal network be more effective?
Additionally, just to clarify—if Suricata were deployed in AWS, it wouldn’t function effectively in IPS mode even if I mapped the firewall traffic to it, correct?
I truly appreciate your guidance and any further recommendations you might have!
In IDS mode you will just be alerted if something happens, in IPS there is a chance it can be actually blocked. But IPS mode is much more intrusive and could also prevent legit traffic or cause delay.
This depends on your network flow, even in AWS itself Suricata is used as a sort of firewall. You just need to make sure the traffic is correctly routed.