Dear experts,
I am new to Suricata and I am trying to set it up acting as layer 2 IPS between interface ens5 (external) and ens4 (internal). I am testing it against a SYN flood but whatever the attacker sends, is seen on Suricata ens5 interface as well as Suricata ens4 interface, and the receiver. It is like if Suricata is simply copying the packets between the 2 interfaces, despite the rules being triggered correctly and Suricata reporting the offending packets have been dropped. As I do not see any errors, I am attaching the relevant configuration hoping that someone will be able to help me pinpoint the issue. Any assistance is much appreciated. Suricata.zip (26.9 KB)
Dear audience,
There was no reply to this post, but I was able to get this work by removing the br0 interface under netplan. Suricata acts as a bridge by copying packets between ens5 and ens4. I was pointed to this by the fact that there were duplicate packets on the L2 segment just by executing a simple ping test. I also added the matching af-packet configuration under the netmap section in /etc/suricata/suricata.yaml. hope this helps clarify the issue should anybody run into anything similar.
