Hello, I’m setting up Suricata as a network-based intrusion prevention system (NIPS) and need help configuring it to monitor and control all traffic for VLAN 100. I’ve tried various configurations, deploying Suricata on the same VLAN and on a separate VLAN, as well as assigning the gateway IP, but I’m still facing routing issues.
Could you provide guidance on the best approach and any relevant configuration examples?
I need also correct routing rules in case 2 interface is needed.
I am using Suricata 7.0.7 on ubuntu server. I have first set it up as default IDS mode and then I changed it to IPS mode. It worked perfectly for its host but not the hosts in all the networks. So I configured all the routings and iptables rules. I could not see the HOME_NET traffic through suricata machine. So in the firewall we configured a rule. The rule is like this: if the other machines in this VLAN wants to reach external network, once they go to the gateway, they should be redirected to the suricata machine. For other loop problems, I used 2 interfaces in suricata host. The traffic now goes perfectly. When a machine in the HOME_NET wants to ping the 8.8.8.8, they go to its gateway, then suricata host, then suricata’s other interface’s gateway and from there to the internet. I have configured all the routings for this in suricata machine. But there is a problem: whenever we commit the firewall rule, the machines in the VLAN lose their internet access. They can ping 8.8.8.8 or other domains like youtube.com, but their http requests have problems, they cannot open those domains in the browser. Can you help me with this problem? What should I do in this situation? There is no http block in any rules.