Suricata with multiple interfaces

Juan · March 12, 2025, 3:45pm

We are running Suricata 7.0.3 on an Ubuntu server with multiple interfaces. Currently, we are testing with /24 subnets, but in the future, we plan to monitor a larger part of our organization, possibly using /16 subnets.

First, we would like to ask if you have any recommendations. Right now, each subnet is configured on a separate interface on the virtual server. Would it be better to have all the traffic on one interface? Does this depend on the capacity of the virtual network card or the amount of traffic being monitored?

Second, is there a limit to the number of interfaces Suricata can monitor?

Thank you.

Andreas_Herz · March 12, 2025, 3:51pm

The subnet size is irrelevant for Suricata (more or less) it is only interested in the actual network traffic, which can be even bigger networks.

Is there a reason to configure it that complicated? It would be much easier to have it on one interface or at least less. This keeps the overhead low and would help performance.

There might be a theoretical limit to Suricata but this is more limited by the NICs or the OS I guess.

Topic		Replies	Views
$HOME_NET and multiple interfaces, plus deployment best practices Help	3	4498	June 27, 2020
Suricata anda Port Mirroring Help suricata	1	126	November 27, 2024
Rules for different network interfaces Help	7	1391	April 30, 2022
Multiple interfaces on the same machine Help	12	9403	October 20, 2022
Architecture help Help ips , community , centos	2	1268	November 29, 2020

Suricata with multiple interfaces

Related topics