Suricata in IDS mode sees packet before linux iptables


I am running Suricata on Linux with af-packet in IDS mode.

Packets that are blocked with the firewall rules are still showing up in Suricata flow logs.

Is there a way for them to not show up? They are just filling up space in the siem. How are people handling this?


This is normal and expected behavior. There is an answer with an explanation in this Stackoverflow question:

Suricata is getting a copy of packets as they traverse the physical interface. This happens BEFORE the iptables firewall has seen the traffic. In fact, basically Suricata and iptables are each getting a copy of each packet at the same time. This is why some folks prefer to place IDS instances on internal firewall interfaces and not the external one so as to hide the normal Internet “noise” when running on a firewall edge device.

When running IDS/IPS on a device that is also the firewall, you are not typically running the IDS/IPS to protect the firewall. You run it to protect or police internal hosts behind the firewall. Therefore it is perfectly valid to place the IDS/IPS on an internal-facing firewall interface (or interfaces in the case of mutliple internal networks). This will let the external-facing firewall filter “noise” and thus limit what the IDS/IPS has to cope with. However, this can get memory and CPU intensive if you have many internal interfaces. Putting an IDS/IPS instance on each could get expensive in terms of CPU and RAM requirements.

1 Like

Thank you Bill.

That makes sense. I have it on the internal interface, but there are some noisy clients.

For some of the traffic I will exclude it with a bpf filter.

Have a great day!!