Hello,
In the /etc/suricata/suricata.yaml file, there are three sections for choosing an interface. One is af-packet, one is pcap and the other is pfring.
Which of these sections should be set to run Suricata-IDS in NFQ IPS or AF_PACKET IPS modes?
Thank you.
Use the af-packet section to setup your interfaces for AF_PACKET IPS, here you would create a pair of interfaces that copy the packets from one to the other and vice versa.
For NFQ you do not need to modify that configuration file. You add -q 0 to your Suricata command line. You can specify multiple queues as needed depending on your NFQ configuration like -q 1 -q 2 -q 3 -q 4.
Hello,
Thank you so much for your reply.
You said “For NFQ you do not need to modify that configuration file.”, but if I don’t choose the NIC, then Suricata-IDS gives an error message!
NFQ doesn’t work directly with the hardware. You use iptables to steer selected packets to Suricata via queues for a decision. It hooks into the packet routing/forwarding stack of the Linux kernel.
You use -q to enable NFQ mode with the queue(s) to listen on for packets.
Hello,
Thanks again.
So, does the -q option make Suricata-IDS ignore the interface part of the suricata.yaml file?
There is no interface part of the configuration file, however af-packet requires interfaces in its configurate. Its best to think of it as modes. AF_PACKET requires interfaces, as do input modes like Netmap and PF_RING. But NFQ operates on queues, not interfaces.
Review 15. Setting up IPS/inline for Linux — Suricata 7.0.2-dev documentation for NFQ.
Thank you so much for your great information.