Unable to run Suricata in IPS Mode

Hello, I am a new user of Suricata.

I have managed to install and run Suricata in system mode (which I understood is IDS) but unable to run it in IPS mode. Would anybody help look at what is wrong please?

Here are the configurations I have made:

  1. Installed iptables, python3-yaml, python3-pip, jq, and other dependencies listed on Suricata documentation (autoconf automake build-essential cargo cbindgen libjansson-dev libpcap-dev libpcre2-dev libtool libyaml-dev make pkg-config rustc zlib1g-dev)

  2. Commented out “LISTENMODE=nfqueue” in “/etc/default/suricata”. However, the “sudo systemctl status suricata.service” command still returned the status in system mode.

suricata.service - Suricata IDS/IDP daemon
Loaded: loaded (/lib/systemd/system/suricata.service; enabled; preset: enabled)
Active: active (running) since
Docs: man:suricata(8)
man:suricatasc(8)
https://suricata-ids.org/docs/
Process: 17560 ExecStart=/usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid (code=exited, status=0/SUCCES>
Main PID: 17562 (Suricata-Main)
Tasks: 8 (limit: 4620)
Memory: 540.5M
CPU: 51.535s
CGroup: /system.slice/suricata.service
└─17562 /usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid

systemd[1]: Starting suricata.service - Suricata IDS/IDP daemon…
AppSVM-IDPS-ks2 suricata[17560]: [masked time] - - This is Suricata version 6.0.10 RELEASE running in SYSTEM mode
systemd[1]: Started suricata.service - Suricata IDS/IDP daemon.

  1. Entered command “sudo suricata -q 0 -v” which returned:

Notice - This is Suricata version 6.0.10 RELEASE running in SYSTEM mode
Info - CPUs/cores online: 2
Info - NFQ running in standard ACCEPT/DROP mode
Info - fast output device (regular) initialized: fast.log
Info - eve-log output device (regular) initialized: eve.json
Info - stats output device (regular) initialized: stats.log
Info - 1 rule files processed. 40215 rules successfully loaded, 0 rules failed
Info - Threshold config parsed: 0 rule(s) found
Info - 40218 signatures processed. 1239 are IP-only rules, 4874 are inspecting packet payload, 33903 inspect application layer, 108 are decoder event only
Info - binding this thread 0 to queue ‘0’
Error - [ERRCODE: SC_ERR_NFQ_CREATE_QUEUE(72)] - nfq_create_queue failed**
Error - [ERRCODE: SC_ERR_NFQ_THREAD_INIT(78)] - nfq thread failed to initialize**
zsh: exit 1 sudo suricata -q 0 -v

Based on the above, it is obvious that “nfq_create_queue failed” and “nfq thread failed to initialize”. On top of this, do you see further issues which caused Suricata to persistently ran in system mode (i.e. IDS) instead of IPS mode?

How can I resolve the issues?

Thank you for reading this. Your advice would be much appreciated.

Hello there,

As far as I understand, running in System mode is not what will indicate whether Suricata is running in IDS or IPS mode. Suricata can run in SYSTEM mode or in USER mode (in which case it will use user-specific configuration for where to save logs and other important data for the application to run).

For Suricata to run in IPS mode, a set of extra configuration steps will be needed. You can check for instance 12.1. Suricata.yaml — Suricata 8.0.0-dev documentation

The errors when creating the NFQ queue and initializing the threads are something that will need further investigation, though, indeed.

Two additional notes are:

  • if you want Suricata to inspect traffic from more than just the device where it is installed, your setup will also look different (as it Suricata will have to first receive all the traffic to be inspected/ blocked/ etc) before allowing it into the protected network.
  • the version of Suricata you are running is unsupported and end-of-life, and therefore could have many known bugs and lack other important optimizations. If/ when you can, please upgrade to the newest stable release.