A few basic questions about Suricata-IDS

I have a few questions about some Suricata-IDS options:

1- Do I need to add port 445 to the port-groups section to protect the file sharing (SMB) service?

2- Should the af-packet section be enabled when Suricata is running in NFQ IPS mode? Or is this section only for AF_PACKET IPS mode?

3- In the interfaces section, I saw something like the following:

   - interface: 0000:3b:00.0 # PCIe address of the NIC port

But I have never defined the value 0000:3b:00.0. Do I have to define the PCIe address for each network card?

4- Which network card should be defined in pcap and pfring sections?

Thank you.

  1. Will depend on your rules in use, generally no.
  2. The packet capture sections only apply when they are in use. If using af-packet, it doesn’t matter whats in the pfring, or nfq sections.
  3. Thats for DPDK. Are you using DPDK?
  4. See (2) above.