How does Suricata work on a dedicated host?

[vibe]

I have only ever used Suricata and Snort on a firewall device, but I am intrigued about using it on a dedicated host and removing that processing overhead from the firewall(s). My network has a classic two firewall and DMZ setup. One firewall is a perimeter firewall with internet on one side, DMZ on the other. The second firewall is a firewall/router that has DMZ on one side and separate internal networks on the other. I would like to locate a dedicated Suricata box in the DMZ as a sensor. I understand how this would work as an IDS with one interface, but I don't know how exactly I could get a dedicated Suricata host to act as an IPS without running two interfaces as a filtering bridge. All of my managed switches are layer 2. Can anyone point me to a howto for this type of setup? I am interested in using the full scope of Suricata features for packet capture and trend analysis with an ELK stack.

[someone]

Just note suricata is not a firewall at present.

[vibe]

Just note suricata is not a firewall at present.

I use OPNsense for firewalling.

I found what I was looking for in the Suricata documentation, 23.2.2 Setting up IPS at Layer 2, sections 23.2.2.1 and 23.2.2.2
https://docs.suricata.io/en/latest/ips/setting-up-ipsinline-for-linux.html

This guide helps me achieve the second goal:
https://www.criticaldesign.net/post/how-to-setup-a-suricata-ips-elk-stack

It would be nice if I could configure a third OPNsense machine as a dedicated Suricata IPS, but I will follow the Linux documentation first to get a working system. I will take a look afterwards to find out what OPNsense config would be necessary to achieve similar functionality, or use a FreeBSD host. I am interested to compare performance between bot OS on the same hardware.

[Monviech (Cedrik)]

IPS on layer 2 only works if the host can actually intercept the traffic "in line", meaning there is a transparent filtering bridge configuration.

Here is how I usually set it up for customers with OPNsense, I recently wrote it down:


https://github.com/opnsense/docs/blob/33935a89ca2655992a42f30885ac12b7f8a9888b/source/manual/how-tos/transparent_bridge.rst

[vibe]

IPS on layer 2 only works if the host can actually intercept the traffic "in line", meaning there is a transparent filtering bridge configuration.

Thanks. I suspected that a filtering bridge with two physical network interfaces would be necessary. I will put it behind my perimeter OPNsense firewall so that the Suricata bridge is the first in-line feeding the DMZ network where the publicly accessible services are located. The internal OPNsense firewall/router will be next with the ELK stack located on one of it's internal networks.

I am not certain at the moment if it is worth having a third interface on the Suricata IPS to isolate logstash traffic. I keep all my IPMI, SNMP and syslog on an isolated VLAN that has no internet connectivity.