@da_667 @ish Ok here's a question: Can I use Suricata in conjunction with an older Layer 3 Firewall to achieve the same functionality I would get out of a modern, Layer 7 NGFW?

Or am I fundamentally misunderstanding Suricata's role?

That's an excellent question you bring up. So this is my opinion, but Suricata has a lot of features that NGFWs do. Its entirely possible to do something like what you're thinking to replace an NGFW.

In fact, if you're curious to try out a pre-built example, you might consider taking a look at OPNSense.

OPNSense is, essentially a fork of PFSense with a good number of changes under the hood.

There's a pre-configured/pre-installed Suricata installation that integrates in with the rest of the firewall functionality, and you can also acquire access to the Emerging Threats Pro Set, through an agreement to provide generalized alert telemetry.

Otherwise, Suricata is well-documented. One of the features for firewall integration with inline operation includes NFQueue, but there's also AFPACKET and other traffic capture modes available as well.

As far as features go, they outnumber the stars in the sky at this point.

You want flow? It can do flow. You want file carving? It can do file carving. You want HTTP/SSL logs? It can do that as well.

The latest versions also support integration with nTop's nDPI library for even more rule writing and detection options.