Novice user attempt at setting IPS at Layer 2 between 2 physical interfaces

Dear experts,
I am new to Suricata and I am trying to set it up acting as layer 2 IPS between interface ens5 (external) and ens4 (internal). I am testing it against a SYN flood but whatever the attacker sends, is seen on Suricata ens5 interface as well as Suricata ens4 interface, and the receiver. It is like if Suricata is simply copying the packets between the 2 interfaces, despite the rules being triggered correctly and Suricata reporting the offending packets have been dropped. As I do not see any errors, I am attaching the relevant configuration hoping that someone will be able to help me pinpoint the issue. Any assistance is much appreciated.
Suricata.zip (26.9 KB)

Regards,
Maurizio

Dear experts,
I forgot to mention that ufw is not active and that ens5 and ens4 are on bridge interface br0.
Regards,
Maurizio

Dear audience,
There was no reply to this post, but I was able to get this work by removing the br0 interface under netplan. Suricata acts as a bridge by copying packets between ens5 and ens4. I was pointed to this by the fact that there were duplicate packets on the L2 segment just by executing a simple ping test. I also added the matching af-packet configuration under the netmap section in /etc/suricata/suricata.yaml. hope this helps clarify the issue should anybody run into anything similar.

Regards,

Maurizio

Thanks @mdanubio for getting back on this and posting your solution. Yes bridge interfaces can be tricky in such scenarios.