Topics

I have only ever used Suricata and Snort on a firewall device, but I am intrigued about using it on a dedicated host and removing that processing overhead from the firewall(s). My network has a classic two firewall and DMZ setup. One firewall is a perimeter firewall with internet on one side, DMZ on the other. The second firewall is a firewall/router that has DMZ on one side and separate internal networks on the other. I would like to locate a dedicated Suricata box in the DMZ as a sensor. I understand how this would work as an IDS with one interface, but I don't know how exactly I could get a dedicated Suricata host to act as an IPS without running two interfaces as a filtering bridge. All of my managed switches are layer 2. Can anyone point me to a howto for this type of setup? I am interested in using the full scope of Suricata features for packet capture and trend analysis with an ELK stack.