Suricata Monitoring Interface


I am a bit puzzled regarding what interfaces to monitor with Suricata.

I have a test rule as follows:

drop tcp $HOME_NET any -> any (msg:"TEST RULE BLOCK CF"; flow:established; sid:102122; priority:2; rev:1;)

I have been using Suricata to monitor the blue interface as I am only interested in applying this to devices on the blue interface at this time.

Some rules such as the ET DNS blocking of .tk domain resolves was working perfectly fine when I was monitoring blue interface only, however my test rule above does not work when I only monitor blue interface. If I enable monitoring on both blue and red interfaces, the test rule above is working as expected.

However doing research, I was seeing that we should really not be enabling Suricata on red interface as we will get more alerts, and we should enable it on blue and or green behind the firewall instead, allowing most nasty things to get dropped by the firewall before it gets processed by Suricata. So I am completely confused why I have to enable monitoring on red interface to get the rule to work?

I am thinking it’s going to be something along the lines of blue -> red -> therefore monitoring blue only sees blue -> red and not red -> is this the case?

No one? RIP