Currently I am wondering if I should replace my router with OPNSense and run suricata on it.
Today I had another thought:
Does it make sense to simply run suricata on my client (laptop) since that would mean I get IDS/IPS on any network I am connected to, even if I am not at home network?
Also I wonder if this also gives the possibility to inspect traffic before it gets encrypted (https)?
On (Arch)Linux a suricata package exists.
Thanks!
No need to replace OPNsense with Suricata, it has Suricata built-in and that might suit your needs.
Running on your laptop is of course something you could do, but it will still only look at the network, so it won’t see any traffic pre-encryption.
@ish I don’t have OPNSense yet which is why I was thinking I could use suricata on my client instead.
Do you mean that it will see Traffic pre-encryption or not?
I was under the impression that IDS/IPS is a lot less usefull with encrypted traffic?
Fixed my typo. It won’t see any traffic pre-encryption.
IDS/IPS signatures can be less useful with encryption, however, a lot of them are for unencrypted traffic, and you can still learn a lot about your network.
I’d say running directly on a laptop/desktop/workstation is more for the hobbyist type. In general, Suricata is based placed on a network access point, like a router/firewall or a tap off a switch. Almost sounds like you want some form of end-point security tool on your laptop as well.
@ish thanks for explaining.
Yes I am kinda looking for an endpoint solution but not much exists in (Arch)Linux. That is why I thought that Suricata could help.