Unable to run Suricata in IPS Mode

newsuricatauser01 · October 27, 2024, 7:26am

Hello, I am a new user of Suricata.

I have managed to install and run Suricata in system mode (which I understood is IDS) but unable to run it in IPS mode. Would anybody help look at what is wrong please?

Here are the configurations I have made:

Installed iptables, python3-yaml, python3-pip, jq, and other dependencies listed on Suricata documentation (autoconf automake build-essential cargo cbindgen libjansson-dev libpcap-dev libpcre2-dev libtool libyaml-dev make pkg-config rustc zlib1g-dev)
Commented out “LISTENMODE=nfqueue” in “/etc/default/suricata”. However, the “sudo systemctl status suricata.service” command still returned the status in system mode.

suricata.service - Suricata IDS/IDP daemon
Loaded: loaded (/lib/systemd/system/suricata.service; enabled; preset: enabled)
Active: active (running) since
Docs: man:suricata(8)
man:suricatasc(8)
https://suricata-ids.org/docs/
Process: 17560 ExecStart=/usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid (code=exited, status=0/SUCCES>
Main PID: 17562 (Suricata-Main)
Tasks: 8 (limit: 4620)
Memory: 540.5M
CPU: 51.535s
CGroup: /system.slice/suricata.service
└─17562 /usr/bin/suricata -D --af-packet -c /etc/suricata/suricata.yaml --pidfile /run/suricata.pid

systemd[1]: Starting suricata.service - Suricata IDS/IDP daemon…
AppSVM-IDPS-ks2 suricata[17560]: [masked time] - - This is Suricata version 6.0.10 RELEASE running in SYSTEM mode
systemd[1]: Started suricata.service - Suricata IDS/IDP daemon.

Entered command “sudo suricata -q 0 -v” which returned:

Notice - This is Suricata version 6.0.10 RELEASE running in SYSTEM mode
Info - CPUs/cores online: 2
Info - NFQ running in standard ACCEPT/DROP mode
Info - fast output device (regular) initialized: fast.log
Info - eve-log output device (regular) initialized: eve.json
Info - stats output device (regular) initialized: stats.log
Info - 1 rule files processed. 40215 rules successfully loaded, 0 rules failed
Info - Threshold config parsed: 0 rule(s) found
Info - 40218 signatures processed. 1239 are IP-only rules, 4874 are inspecting packet payload, 33903 inspect application layer, 108 are decoder event only
Info - binding this thread 0 to queue ‘0’
Error - [ERRCODE: SC_ERR_NFQ_CREATE_QUEUE(72)] - nfq_create_queue failed**
Error - [ERRCODE: SC_ERR_NFQ_THREAD_INIT(78)] - nfq thread failed to initialize**
zsh: exit 1 sudo suricata -q 0 -v

Based on the above, it is obvious that “nfq_create_queue failed” and “nfq thread failed to initialize”. On top of this, do you see further issues which caused Suricata to persistently ran in system mode (i.e. IDS) instead of IPS mode?

How can I resolve the issues?

Thank you for reading this. Your advice would be much appreciated.

jufajardini · October 28, 2024, 2:23pm

Hello there,

As far as I understand, running in System mode is not what will indicate whether Suricata is running in IDS or IPS mode. Suricata can run in SYSTEM mode or in USER mode (in which case it will use user-specific configuration for where to save logs and other important data for the application to run).

For Suricata to run in IPS mode, a set of extra configuration steps will be needed. You can check for instance 12.1. Suricata.yaml — Suricata 8.0.0-dev documentation

The errors when creating the NFQ queue and initializing the threads are something that will need further investigation, though, indeed.

Two additional notes are:

if you want Suricata to inspect traffic from more than just the device where it is installed, your setup will also look different (as it Suricata will have to first receive all the traffic to be inspected/ blocked/ etc) before allowing it into the protected network.
the version of Suricata you are running is unsupported and end-of-life, and therefore could have many known bugs and lack other important optimizations. If/ when you can, please upgrade to the newest stable release.

meerkat · September 24, 2025, 8:32am

I’m new to suricata. I believe that I have correctly configured the program to run in IPS mode but I would like to confirm that it is set up correctly. Is there a console command that I can run that will tell me whether suricata is in IDS or IPS mode?

jufajardini · September 26, 2025, 6:30pm

Hi, this is an indirect answer, but I hope it helps:

when you run Suricata, it will usually log a few messages with information about mode and running mode that can help. Two examples:

Notice: suricata: This is Suricata version 9.0.0-dev (9fb33bbaf 2025-09-23) running in USER mode [LogVersion:suricata.c:1208]
Info: cpu: CPUs/cores online: 12 [UtilCpuPrintSummary:util-cpu.c:149]
Info: suricata: Setting engine mode to IDS mode by default [PostConfLoadedSetup:suricata.c:2795]

and

Info: suricata: Setting IPS mode [SCParseCommandLine:suricata.c:1591]
Notice: suricata: This is Suricata version 9.0.0-dev (9fb33bbaf 2025-09-23) running in USER mode [LogVersion:suricata.c:1208]

As a side note, it is generally preferred to use a new topic to ask a new question, if you don’t find a question that has the answer you’re looking for. This keeps the forum more organized, and helps bring attention to your post!