Dear all,
on my nginx server, I installed suricata.
It works fine - as long as I use it as a IDS.
Now, I try to understand the migration process IDS → IPS
First, I tried the iptables way:
#!/bin/bash
iptables -I FORWARD -j NFQUEUE
Of course, I started suricata using “-q 0”
However, no more detections! suricata stays silent.
In my /etc/suricata/suricata.yaml, I use:
mode accept
fail-open yes
Then, I tried the nftables way:
#!/usr/sbin/nft -f
#
# chain declaration
#
add chain filter IPS { type filter hook forward priority 10;}
#
# rule declaration
#
add rule filter IPS queue
Yet again, suricata stays silent.
In IDS mode, it works as requested.
In IPS mode, it just stays silent.
Anyone able to give me a helping hand?
Which part didn’t I understand correctly?
Kind regards,