Inline Suricata as IPS

Can Suricata in RockNSM be configure to run inline with AF_Packet using two ethernet ports?

RockNSM isn’t designed to be run inline like this. We’re big advocates of staying passive and observing so you have something that has a high confidence of trustworthiness. Namely, if your passive network sensor is compromised, you cannot trust anything on your network.

That said, it’s certainly possible to manually configure Suricata as an IPS on your own. I would configure only one of the interfaces as monitor interface, then manually configure Suricata to use the other interface for IPS mode. Otherwise you would get double collection in Bro and Stenographer.

NOTE: I assume you know what you’re doing here. IPS mode takes considerably more resources and requires careful attention to your rules configuration, lest you completely break your network. In general, the Suricata team would recommend on production networks that Suricata boxes in IPS mode are run on dedicated hardware, preferably behind a network tap that can do fault detection via heartbeat or something so that if your IPS fails, the system will continue to pass traffic.