[Oisf-users] Suricata does not start in NFQ mode

[Duarte Silva]

Jason is right. You should only use the -q to define the queue to listen on for packets. You can have multiple -q, one for each queue you have defined with iptables/nftables.

----- Mensagem Original -----
De: "Jason Ish" <lists at unx.ca>
Enviado: ‎08/‎08/‎2015 22:43
Para: "James Moe" <jimoe at sohnen-moe.com>
Cc: "oisf-users at lists.openinfosecfoundation.org" <oisf-users at lists.openinfosecfoundation.org>
Assunto: Re: [Oisf-users] Suricata does not start in NFQ mode

Hi James,

I have not used nfq mode myself in a long time, but read further inline...

On Sat, Aug 8, 2015 at 3:10 PM, James Moe <jimoe at sohnen-moe.com> wrote:
> linux 3.16.7-21-desktop x86_64
>
> I built suricata with --enable-nfqueue. When I add "-q 0" to the
> command line, the following error is emitted:
>
> /usr/local/bin/suricata -v --pidfile /d500g/var/run/suricata.pid -c
> /usr/local/etc/suricata/suricata.yaml -q 0 -i eth0
> 8/8/2015 -- 13:38:25 - <Error> - [ERRCODE:
> SC_ERR_MULTIPLE_RUN_MODE(126)] - more than one run mode has been specified
> Suricata 2.0.8

I believe with NFQ you do not specify an interface with -i.  -i tells
Suricata to use pcap mode on that interface.  With NFQ, Suricata
doesn't need to know which interface to listen on, that would be setup
with the iptables tools.

Hope that helps,
Jason
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 4 & 5 in Barcelona: http://oisfevents.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150809/59e96ad5/attachment-0002.html>