Operating system and/or Linux distribution: Debian 12.5 (Bookworm)
Installed via apt (bookworm-backports)
I am setting up Suricata on a fresh Debian 12 install and I am configuring it in IPS mode with NFQ.
What config-file do I have to edit to make it start in NFQ mode?
(it runs fine if initiated manually from CLI directly with -q 0 flags, but I am looking for a way to accomplish this when the service starts at boot time).
I have already made sure /etc/default/suricata contains line LISTENMODE=nfqueue and is set to yes as suggested here.
I am unable to decipher the script in /etc/init.d/suricata to solve this.
Unfortunately these variables in /etc/default have been made obsolete in 2016. AF_PACKET is now the preselected (and hardcoded) mode in the Suricata package’s systemd unit file. The init.d scripts are no longer used in recent Debian versions, AFAIK. Systemd is the way to go.
It’s not a good idea to directly edit the package systemd unit file (/lib/systemd/system/suricata.service) though, since it will be overwritten with each package update.
If you want, you can override the command line in the packaged systemd unit file using systemd’s drop-in feature. Just create a file /etc/systemd/system/suricata.service.d/override.conf with the following content:
This overrides the default AF_PACKET start by first clearing the previous ExecStart directive and then sets a new one, which you can now tailor as you wish.
Then run
sudo systemctl daemon-reload
and then
sudo systemctl restart suricata
which will then use the overridden command line (note the Drop-In field):