Suricata IDS/IPS IN-Line

Hello everyone,

I intend to install suricata as ids / ips in an in-line configuration. I have a computer with ubuntu server with 6 nics, and I’m using the enp2s0 interface to receive internet and the enp3s0 interface to connect to another pc also with the ubuntu server. From what I realized I need to configure the meerkat file. yaml, but I don’t know how. In addition, is it necessary to take a few more steps? Any help is most welcome. Thank you

Hi. Have you had a look at the documentation?
Try searching this forum for other topics regarding IPS setups.

I appreciate your response and help. Unfortunately, documentation is not for everyone. In my opinion, more practical examples are missing, especially in the configuration file. In the forum unfortunately my case is not described anywhere. A pity because this setup is what a lot of people want.

Paulo, configuration very much depends on many factors. Both configuration file (suricata.yaml) and the documentation is written in a very verbose way, it can almost be read as a book. Due to many limiting factors it would be hard to write examples. Some general tips for configuration can already be found on Google.
To help you in your specific scenario, please try to specify thoroughly describe your scenario, ideally in parts.
The best way is to experiment by yourself. You can easily install it to see if it suits your needs. If my understanding of your problem is correct, you just need to setup Suricata on your WAN facing interface. You don’t need to setup Suricata on every interface.

So you want to forward the traffic between enp2s0 and enp3s0?

In 13. Setting up IPS/inline for Linux — Suricata 6.0.0 documentation you see the example for eth0/eth1 to copy between the interfaces.

Hi, Andreas. Thank you for your help. I already got the suricata up and running 2 days ago. I already understand the file af-packet.yaml and how it can be declared at the end of suricata.yaml. But now I have another problem that I need some help with. I send a photo

attached. The meerkat is working and I already receive logs on the splunk. So I guess the error isn’t that bad. Thank you one more time.

I followed the recommended documentation to install as an IPS, but unfortunately, I couldn’t do it. I attach my files suricata.yalm and af-packet.yalm in the hope that someone can help me. My current situation is that the suricata does not make errors, but only works as ids, as you can see in the photo. I wanted it to work in ips inline mode and transparent, that is, following my network map, only should appear as an available interface. Either way, the server has access to the internet. If anyone can help me, i would appreciate it. Thks
af-packet.yaml (396 Bytes) suricata.yaml (72.4 KB)

Did you change the signatures from alert to drop so they actually block specific traffic?
Also keep in mind that Suricata doesn’t block the access for unless you set rules for that
I would also suggest to use more than just 1 thread for each interface unless the traffic rate is very low

Thank you for your interest. Anyway, after wasting a whole week around the outdated and confusing manual … I already gave up.

If there are things that are confusing or outdated in the docs, you can give us constructive feedback and we can try to improve.

Of course my friend. Here are some examples:

  • Advanced instalation link in Ubuntu points to a version 3.1 installation guide.

  • the configuration example for creating the af_packet Suricata acting as IPS between interface does not include
    % YAML 1.1

I could be here all afternoon talking about what’s wrong with the documentation. My suggestion is to get someone to use the software for the first time and answer his questions. I’m sure the manual will be fine after that.