I’m not really sure how you would use a Linux machine in a VM on Windows, to provide IPS functionality for that Windows machine. Its probably not impossible, but may require some research and trial and error.
I do have one piece of advice and that is to remove Suricata, then add it back when the network is working as you want it.
- For NFQ IPS this means not setting up your
-j NFQUEUEstatements until your packets are flowing through yourIPSmachine as desired on your network. - For AF_PACKET IPS, this means using the standard Linux bridge. When your your networking is working as you want, stop the Linux bridge, and bring up Suricata in AF_PACKET IPS mode, as it will replace that bridge.
If it doesn’t work without Suricata, its unlikely to work with Suricata.
And when it comes to virtual machines, make sure you disable offloading on the network interfaces of the physical host, as well as the virtual hosts.
Generally virtual machines make this more complicated.