Suricata as IDS and IPS on transpararent mode

javierspn · February 16, 2023, 4:11pm

Hi team!

New around here and new to Suricata too.

We have a setup (multiple, actually) where all of our devices connect to L2 switches. Those L2 switches in turn connect to an L3 switch, not ours, routing us to another network, nor ours too.

We are planning to set up Suricata both as an IDS and IPS and i am wondering if we can set all this up as a transparent IDS/IPS:

I know Suricata can be set up in transparent mode, I don’t know if we can do that with multiple interfaces.

Any advice/tips would be appreciated.

Thanks!

Andreas_Herz · February 27, 2023, 7:20pm

Is there a routing logic that would have to be implemented or are there direct relations?
For example is everything from eth0 meant to be forwarded to eth2 and vice versa?
You could run dedicated instances for each interface pair in af-packet IPS mode or, if there is more routing logic needed, you can go the NFQueue way.

Topic		Replies	Views
IPTables and IPS Mode Help ips	3	826	February 22, 2023
Suricata Configuration for IPS and IDS Mode Help ips	10	6851	April 29, 2020
Query on IPS Mode Help	1	418	September 19, 2022
A question about Suricata-IDS in monitoring mode Help	4	263	December 6, 2023
AF_PACKET IPS mode and network cards Help	5	731	October 27, 2023

Suricata as IDS and IPS on transpararent mode

Related Topics