Hi
I am planning to use Suricata in IPS mode where bidirectional traffic from both LAN interfaces go through TAP1 interfaces to Suricata. Suricata is running in IPS AF_PACKET mode on TAP1 and TAP2 interfaces. However bidirectional traffic always comes into Suricata via TAP1 and leaves via TAP2. Will this way of receiving all bidirectional traffics only via TAP1 create any problem for Suricata running in IPS mode ?
Thanks
Amit
I’m not sure if I completely get the setup, could you draw a simple sketch with an example flow with more details?
So a ICMP echo request coming from LAN1 will go to TAP1 and into Suricata and afterwards being forwarded through TAP2 to the target at LAN2?
But the echo reply will also end up at TAP1?
I don’t want to say this won’t work but hard to tell upfront, would require testing.
Since it’s coming from a TAP to another TAP is this a copy of the actual traffic?