Was Suricata designed to run on a WAN interface? I am asking because I wanted to run Zenarmor alongside Suricata and cannot have both on LAN.
I had some nmap rules on LAN using Suricata and I guess I will loose those.
Can someone please explain if there are any benefits or running Suricata on the LAN side?
Suricata can run on the WAN or the LAN side equally well, it just depends on where you need visibility. I think most typically run it on the LAN side as there is often little point to alerting on traffic that will be dropped by the firewall any ways.
I don’t know anything about Zenarmor, but they may be able to help you run both on the same interface. It also depends on what capture method you are using, etc.
I have found a way to have both Suricata and Zenarmor on LAN but only if you have the LAN ports bridged. Then you can set Suricata on the LAN_BRIDGE and Zenarmor can be set on the individual interfaces for example LAN1 LAN2 LAN3 etc.
In my case I have Suricata on WAN and LAN_BRIIDGE. I have tested with a few rules and it works perfectly.
Here is a short post with the screenshots and what I tested out:
https://x.com/flaviuvlaicu/status/1826353580951134686