Hi @Zrubi , appreciate your sharing in your article in 2017! Based on my limited technical knowledge, it appears your settings used the NFQueue method while Suricata is a gateway (as opposed to host) placed somewhere between sys-net and App VM. I have tried similar settings but Suricata worked only on traffic generated by sys-Suricata itself but not other qubes (e.g. App VM). Also, I read that communications between qubes is restricted by design (except with Qrexec), so not sure how your settings could allow the sys-Suricata placed in the middle read and act on (e.g. drop) the network flow generated by App VM.
Details of my questions (there’s more) and what I tried are here:
Would you be able to help? Thanks.