Hi
I am running a PCAP on Suricata
I want it in IPS Mode
I went to /etc/default/suricata changed LISTENMODE to nfqueue ( found this in digitalocean guide)
Changed 1 Signature (2028765) from alert to drop in suricata.rules
Run sudo suricata -T -c /etc/suricata/suricata.yaml -v (To validate Rules file)
Then systemctl restart suricata
But when I again run PCAP . action is still “allowed”
what I am missing
How did you configure the nftables part of the setup?
If you run in nfqueue mode, you need to ensure the netfilter queue is also used for the traffic.
See 13. Setting up IPS/inline for Linux — Suricata 6.0.4 documentation for more details.
Hi Andreas , I have tried suricata read the docs it didn’t work for me .
So I am following this article . Can you point out any mistake in this
Also I tried and able to run suricata in IPS mode
sudo suricata -c /etc/suricata/suricata.yaml -q 0 -v
But it works only when I ping a custom IP , blocked by me . Then only it shows drop.
But if I want to run IPS mode on a pcap or I want if I do tcpreplay of pcap on my interface card it doesn’t drop it shows alert only
Case 1
sudo suricata -c suricata.yaml -r xyz.pcap -l test/
This is my suricata pcap command . I only see alerts and action allowed , even when i updated that rule to drop in suricata rules.
Case 2
In one terminal I am running
sudo suricata -c /etc/suricata/suricata.yaml -q 0 -v
and in other
sudo tcpreplay -t -v -i eth0 xyz.pcap
I dont see any alert /drop in fast.logHard to tell without more details about your actual setup.
Did you verify, with a -j LOG targaet for example, that all the packets are forwarded to the NFQUEUE?
Is the tcpreplay running on a different machine or the same one?