[Oisf-users] Running Suricata in nfqueue mode - no events logged

[Albert Whale]

Ok, I have iptables confirmed and Configured.  I have Suricata set up 
for nfq and using queue 0.

In a matter of more than 10 minutes I have had 5 messages which were 
logged to the fast.log file.  In comparison, I have hundreds of entries 
in 10 minutes logged while running Suricata in af-packet mode.

What makes Suricata ignore the packets in the NFQUEUE when running in 
nfq mode?

My current nfq settings are:

nfq:
   mode: accept
   repeat-mark: 1
   repeat-mask: 1
   bypass-mark: 1
   bypass-mask: 1
   route-queue: 2
#  batchcount: 20
   fail-open: yes

I want to run in IPS mode not IDS.  Is there something that needs 
changed when switching from af-packet mode to nfq that I haven't already 
done?  Do I need to switch my mode from accept to repeat?

I have a Bridged interface and I also have provisioned the IPTables on 
the INPUT and OUTPUT sections to forward the packets to queue 0.

I have spent a day working with Chris from the list, and we have 
reviewed and sanctioned the network and queue processing, I need 
assistance with configuring Suricata to enable this.  (Or, do I need to 
compile a version on this system running Ubuntu 16.04?

Thank you all.

-- 
--

Albert E. Whale, CEH CHS CISA CISSP
Email: Albert.Whale at IT-Security-inc.com