Make sure that suricata is started with “-q 0” parameter so it uses NFQUEUE!<\/p>\n\n\n\n
In In In case you are on RHEL or alike:<\/p>\n\n\n\n Make sure that suricata is started with “-q 0” parameter so it uses NFQUEUE! In \/etc\/suricata\/suricata.yaml change to: nfq: mode: repeat repeat-mark: 1 repeat-mask: 1 In \/etc\/ufw\/before.rules and \/etc\/ufw\/before6.rules insert section: ### SURICATA ###-I INPUT 1 -p tcp –dport 22 -j NFQUEUE –queue-bypass-I OUTPUT 1 -p tcp –sport 22 -j NFQUEUE –queue-bypass-I FORWARD 1 -m mark ! –mark 1\/1 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11],"tags":[],"class_list":["post-1379","post","type-post","status-publish","format-standard","hentry","category-linuxunix"],"_links":{"self":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1379","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1379"}],"version-history":[{"count":3,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1379\/revisions"}],"predecessor-version":[{"id":1382,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/1379\/revisions\/1382"}],"wp:attachment":[{"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1379"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1379"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ndk.sytes.net\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1379"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}\/etc\/suricata\/suricata.yaml<\/code> change to:<\/p>\n\n\n\nnfq:
mode: repeat
repeat-mark: 1
repeat-mask: 1<\/pre>\n\n\n\n\/etc\/ufw\/before.rules<\/code> and \/etc\/ufw\/before6.rules<\/code> insert section:<\/p>\n\n\n\n### SURICATA ###
-I INPUT 1 -p tcp --dport 22 -j NFQUEUE --queue-bypass
-I OUTPUT 1 -p tcp --sport 22 -j NFQUEUE --queue-bypass
-I FORWARD 1 -m mark ! --mark 1\/1 -j NFQUEUE
-I INPUT 2 -m mark ! --mark 1\/1 -j NFQUEUE
-I OUTPUT 2 -m mark ! --mark 1\/1 -j NFQUEUE
### END SURICATA ###<\/pre>\n\n\n\nfirewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 22 -j NFQUEUE --queue-bypass
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -j NFQUEUE
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 0 -p tcp --dport 22 -j NFQUEUE --queue-bypass
firewall-cmd --permanent --direct --add-rule ipv6 filter INPUT 1 -j NFQUEUE
firewall-cmd --permanent --direct --add-rule ipv4 filter FORWARD 0 -j NFQUEUE
firewall-cmd --permanent --direct --add-rule ipv6 filter FORWARD 0 -j NFQUEUE
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp --sport 22 -j NFQUEUE --queue-bypass
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 1 -j NFQUEUE
firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 0 -p tcp --sport 22 -j NFQUEUE --queue-bypass
firewall-cmd --permanent --direct --add-rule ipv6 filter OUTPUT 1 -j NFQUEUE<\/pre>\n","protected":false},"excerpt":{"rendered":"