My first post but thought I’d share as I’ve not seen anyone else doing something similar.
I’ve build a NanoBSD image (embedded version of FreeBSD) on a PC Engines APU solely to run Suricata; its working great and I’m currently running Suricata 7.0.1 with a handful of the ET Pro rules and a few of my own - mostly to detect leaking usernames etc.
The OS is running off a 4GB industrial compact flash card and a separate MSATA is used to store output data.
I’m running protocol processing with eve output for a handful of things with eve output as separate files (e.g. dns, http, dhcp, tls etc) I’ve also opted for the conditional PCAP outputting only for alerts to save on space. This is running in small home network but i’d hazard a guess that it would scale pretty well with better hardware and more resilience (RAID disks etc).
I’m planning to get the eve logs out to a ELK stack at some point, time allowing, for easier analysis but in the interim i’m just using CLI tooling to review logs.
I’ve got a BIND9 DNS server running dnstap to log DNS queries, deliberately added a BPF filter to prevent the recursive queries clogging up Suricata DNS logs.
Anyone else doing/done something similar?