A few basic questions about Suricata-IDS

Hack3rcon · December 6, 2023, 7:11am

Hello,
I have a few questions about some Suricata-IDS options:

1- Do I need to add port 445 to the port-groups section to protect the file sharing (SMB) service?

2- Should the af-packet section be enabled when Suricata is running in NFQ IPS mode? Or is this section only for AF_PACKET IPS mode?

3- In the interfaces section, I saw something like the following:

interfaces:
   - interface: 0000:3b:00.0 # PCIe address of the NIC port

But I have never defined the value 0000:3b:00.0. Do I have to define the PCIe address for each network card?

4- Which network card should be defined in pcap and pfring sections?

Thank you.

ish · December 15, 2023, 9:13pm

Will depend on your rules in use, generally no.
The packet capture sections only apply when they are in use. If using af-packet, it doesn’t matter whats in the pfring, or nfq sections.
Thats for DPDK. Are you using DPDK?
See (2) above.

Topic		Replies	Views
AF_PACKET IPS mode and network cards Help	5	413	October 27, 2023
A question about choosing a network card Help	6	219	October 3, 2023
Suricata as IDS and IPS on transpararent mode Help	1	517	February 27, 2023
A question about Suricata-IDS in monitoring mode Help	4	182	December 6, 2023
Suricata-IDS in AF_PACKET IPS mode and IP ranges Help	5	200	November 16, 2023