Hello,
When installing Suricata-IDS on CentOS via “yum” command, it working as IDS, how can I switch it to IPS? Is it possible? Or work as IPS need to compile from source code with enable IPS parameter?
Thank you.
The RPM supports IPS mode. You make this change in /etc/sysconfig/suricata. You would remove -i xxx in the OPTIONS line and replace it with -q 0 or whatever you need.
For example:
OPTIONS="-q 0 --user suricata "
1 Like
Is “–user suricata” mandatory?
--user is not required. But the Suricata RPM is set by default to run as a non-root user, which is a good thing. You can remove that and run it as root if you need or want to.
1 Like
Which one is recommended? Can run as root cause any problem? Or for some protection, Suricata-IDS need root access?
I recommend running as non-root, and that is the way the RPM is set to run by default.