[new to Suricata] Where do I put my Suricata in my network?

Hello guys !

First of all sorry for my English if there are some mistakes, English is not my native language.

I looked for this topic with the search tool and didn’t find anything really useful. I’m currently trying to grow up in the IT field, especially in the security field, so I’m working on home labs to increase my skills.

Regarding that, I’m looking to install Suricata and learn how it works, but in a professional way (didn’t read the documentation for the time being but I’m gonna for sure, the entire documentation !).

However, I would first like to know where I should put my NIPS system on my network’s topology ?

I’m currently working from my main computer, through VMware Workstation, but I’m pretty sure I’ll encounter lot of problems regarding the network part as I’m not able to configure the entire TCP/IP spectrum on it. So I plan to build a new host machine, which will run ESX, and then run my VMs over it, however I’m thinking that having a dedicated host with Suricata installed on it, and 2 NIC, could be greater option, what do you think about ? Which option is the most appropriated on a real case scenario (like in companies, etc) ?

Should I bother to install it on a VM, without being able to configure the network part as I’m only on VMware workstation, or should I wait to get a dedicated host ?

My current topology is WAN > ISP ROUTER > FORTIGATE > LAN, and I think the best place for Suricata would be between the Fortigate and the LAN.

I though about Minisforum’s computers, as most of them have 2 built-in NIC (one for external traffic, and the other for internal traffic).

Let me know, if there are any documentations to read, it doesn’t bother me, I want to learn as much as I can about Suricata in order to get more skills and one day to work in security :cat:‍:bust_in_silhouette:

Thanks guys, I hope to learn lot of things here !

There are a lot of options here, and I don’t really know much about VMware or Fortigate. You also didn’t say whether you want to run inline or not.

I’ve found a very simple way to get started is to get a cheap switch with a monitor/span port, at least for IDS mode. I use Linux/KVM sometimes for testing, and I’m able to allocate a network port on the host specifically to that VM and its then possible to monitor that traffic from inside the VM. Or when I’m testing on a Raspberry Pi, I’ll just plug the monitor port into my Raspberry Pi and be good to go.

While cheap switch with a span port might not be how the larger enterprises do it, its not far off. They’ll use a large more expensive packet broker of sorts, but they more or less do the same thing.

Now if IPS mode is your goal you’ll need to run it on something that is in-line, and has 2 network ports. There is NFQ mode which works fine or a Linux router, or you can use AF-PACKET modes to create an ethernet bridge. These will require more time and effort to setup though.