Using iptables for an IDS system

Hey folks

Hope you are all keeping well. I wanted to get your thoughts, even more importantly experiences, on if you have used iptables with Suri to build an IDS (not IPS) system as opposed to having Suri sniffing the physical interfaces.

Thanks in advance
Amar Rathore

You could just follow the 13. Setting up IPS/inline for Linux — Suricata 6.0.2 documentation guide and skip setting the rules to drop, so they will just alert as IDS.

Hi Andreas
Thank you. We were aware of that process…in fact implement that for all Inline IPS systems.

My question however is more to do with On line IDS systems. Previously we only installed our software with Suricata directly sniffing interfaces as required. Recently we have been using iptables and pushing select traffic to nfqueue. Both seem to work well…in fact the latter, in my experience, provides for better control.

I just wanted to see if others within the group have experience or any pros and cons advice with either or both.

Thanks again
Amar Rathore