Suricata in IPS Mode using PCAP

Hi
I am running a PCAP on Suricata
I want it in IPS Mode
I went to /etc/default/suricata changed LISTENMODE to nfqueue ( found this in digitalocean guide)
Changed 1 Signature (2028765) from alert to drop in suricata.rules
Run sudo suricata -T -c /etc/suricata/suricata.yaml -v (To validate Rules file)
Then systemctl restart suricata

But when I again run PCAP . action is still “allowed”
what I am missing

How did you configure the nftables part of the setup?
If you run in nfqueue mode, you need to ensure the netfilter queue is also used for the traffic.
See 13. Setting up IPS/inline for Linux — Suricata 6.0.4 documentation for more details.

Hi Andreas , I have tried suricata read the docs it didn’t work for me .
So I am following this article . Can you point out any mistake in this

Also I tried and able to run suricata in IPS mode

sudo suricata -c /etc/suricata/suricata.yaml -q 0 -v

But it works only when I ping a custom IP , blocked by me . Then only it shows drop.

But if I want to run IPS mode on a pcap or I want if I do tcpreplay of pcap on my interface card it doesn’t drop it shows alert only

Case 1

sudo suricata -c suricata.yaml -r xyz.pcap -l test/

This is my suricata pcap command . I only see alerts and action allowed , even when i updated that rule to drop in suricata rules.

Case 2
In one terminal I am running 

sudo suricata -c /etc/suricata/suricata.yaml -q 0 -v

and in other 

sudo tcpreplay -t -v -i eth0 xyz.pcap

I dont see any alert /drop in fast.log

Hard to tell without more details about your actual setup.
Did you verify, with a -j LOG targaet for example, that all the packets are forwarded to the NFQUEUE?

Is the tcpreplay running on a different machine or the same one?