I am afraid, that I don’t understand your reply. Fibre optic TAP see both directions of the traffic, but it will copy it to separate fibres, which than has to be connected to TWO separate network interfaces. This is the issue I tried to describe.
So I am looking to advise, how Suricata shall be setup, to be able to reconstruct flows, where outgoing traffic is seen on interface1, while incoming traffic is seen on interface2.
I am definitely ready to prepare docs update by myself, but I will need information how Suricata works internally.
I highly doubt, that Suricata inspect both eno1 and eno2 traffic, because it will simply do scanning of the same traffic twice! Based on my expectations Suricata will probably inspect only incoming traffic, not outgoing on both interfaces. Or both directional traffic but only on one interface.
But in the current IPS mode documentation, BOTH interfaces are setup to be monitored by Suricata. So there has to be some internal mechanism, at least I hope so.