Question about use queue mode accept

wcts · September 11, 2023, 3:52pm

I’am using Suricata in mode IPS, my intention is use run mode “accept”, directioning traffic via firewall for multi queues, that is, it doesn’t matter which interface the packet enters or leaves

My main question is if need setting really one session “af-packet” by interface in my suricata.yaml?

Other question is about cluster-id, what a problem in using same id for all interfaces?

Info:

Suricata v6.0.13
OS: Debian

Thanks

Andreas_Herz · September 13, 2023, 9:18pm

Do you want to run the AF_PACKET IPS mode or do you want to use the netfilter integrated mode with NFQUEUE?

The cluster-id needs to be unique.

Did you read the docs at 15. Setting up IPS/inline for Linux — Suricata 7.0.1-dev documentation to see which mode applies to your scenario?

Topic		Replies	Views
A question about choosing a network card Help	6	314	October 3, 2023
Af-packet vs nfqueue in IPS mode Help	1	682	May 16, 2023
How to set up suricata af_packet IPS mode if my laptop only have one NIC? Help ips , community	2	755	October 8, 2021
How can configure multiple interfaces when using suricata in IPS mode where setting up (LISTENMODE=nfqueue)) Developers ips , suricata	1	585	June 21, 2023
IPTables and IPS Mode Help ips	3	836	February 22, 2023

Question about use queue mode accept

Related topics