Hello Stefan,
back again. :-)
The new IDS WebUI looks quite good so far - enabling/disabling Suricata works as well as selecting the rule source and the operation mode (IDS/IPS).
I was also able to download the "Snort/VRT Community" ruleset. Trying to switch to the "Emerging Threats" ruleset is possible, but downloading its ruleset afterwards is not: The GUI simply stalls, printing a message that "Snort (!) is performing a task".
The WebUI services page still shows IDS status for each interface, which does not seem to work anymore (everything is stopped, but Suricata was active on RED and GREEN).
Further, a client located in GREEN behind the test firewall instance is unable to browse the internet as soon as Suricata is enabled. If disabled, downloading ET rulesets work as well as internet traffic. At the moment, I am flying blind here, but it looks like packets are not NATted anymore if Suricata is active.
Any outgoing connection is in state "SYN_SENT" if Suricata is active.
A portscan against the firewall (GREEN interface) is not detected, even though ET SCAN ruleset is enabled (used nmap with NSE active).
Especially the outgoing connection/NAT/? issue mentioned above breaks things in my scenario. Anything else are minor issues (of course, a portscan should be detected, this needs further investigation indeed). WebUI works fine so far.
Thanks again for your work; I hope the feedback can appreciate it somehow. :-)
Let me know if there are questions.
Thanks, and best regards, Peter Müller