A few basic questions about Suricata-IDS

Help
1

Hello,
I have a few questions about some Suricata-IDS options:

1- Do I need to add port 445 to the port-groups section to protect the file sharing (SMB) service?

2- Should the af-packet section be enabled when Suricata is running in NFQ IPS mode? Or is this section only for AF_PACKET IPS mode?

3- In the interfaces section, I saw something like the following:

interfaces:
   - interface: 0000:3b:00.0 # PCIe address of the NIC port

But I have never defined the value 0000:3b:00.0. Do I have to define the PCIe address for each network card?

4- Which network card should be defined in pcap and pfring sections?

Thank you.

3
  1. Will depend on your rules in use, generally no.
  2. The packet capture sections only apply when they are in use. If using af-packet, it doesn’t matter whats in the pfring, or nfq sections.
  3. Thats for DPDK. Are you using DPDK?
  4. See (2) above.