Can I use same suricata instance for both IDS (for L3,4) and IPS (for L3,L4,L7)?

Question

I have a interface where traffic is flowing from internet to NGINX server to application server. I want to monitor (IDS) the traffic flowing between Internet and NGINX at L3,4 and IPS the traffic flowing out from NGINX to application server at L3,4,7.

Will it be possible to use same suricata instance to do the both?

score 0 · Answer 1 · answered Jan 30 '16 at 09:10

0

Not at this time. There is work being done to support this use case using NFQUEUE (IPS) and NFLOG (IDS).

Ticket: https://redmine.openinfosecfoundation.org/issues/1604

But for now you will have to run 2 instances.

answered Jan 30 '16 at 09:10

Victor Julien

26
2

Can I use same suricata instance for both IDS (for L3,4) and IPS (for L3,L4,L7)?

1 Answers1