<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.yiv5651814379msoacetate, li.yiv5651814379msoacetate, div.yiv5651814379msoacetate
{mso-style-name:yiv5651814379msoacetate;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.yiv5651814379msonormal, li.yiv5651814379msonormal, div.yiv5651814379msonormal
{mso-style-name:yiv5651814379msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.yiv5651814379msochpdefault, li.yiv5651814379msochpdefault, div.yiv5651814379msochpdefault
{mso-style-name:yiv5651814379msochpdefault;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.yiv5651814379msohyperlink
{mso-style-name:yiv5651814379msohyperlink;}
span.yiv5651814379msohyperlinkfollowed
{mso-style-name:yiv5651814379msohyperlinkfollowed;}
span.yiv5651814379emailstyle17
{mso-style-name:yiv5651814379emailstyle17;}
span.yiv5651814379balloontextchar
{mso-style-name:yiv5651814379balloontextchar;}
p.yiv5651814379msonormal1, li.yiv5651814379msonormal1, div.yiv5651814379msonormal1
{mso-style-name:yiv5651814379msonormal1;
margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.yiv5651814379msohyperlink1
{mso-style-name:yiv5651814379msohyperlink1;
color:blue;
text-decoration:underline;}
span.yiv5651814379msohyperlinkfollowed1
{mso-style-name:yiv5651814379msohyperlinkfollowed1;
color:purple;
text-decoration:underline;}
p.yiv5651814379msoacetate1, li.yiv5651814379msoacetate1, div.yiv5651814379msoacetate1
{mso-style-name:yiv5651814379msoacetate1;
margin:0in;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.yiv5651814379emailstyle171
{mso-style-name:yiv5651814379emailstyle171;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.yiv5651814379balloontextchar1
{mso-style-name:yiv5651814379balloontextchar1;
font-family:"Tahoma","sans-serif";}
p.yiv5651814379msochpdefault1, li.yiv5651814379msochpdefault1, div.yiv5651814379msochpdefault1
{mso-style-name:yiv5651814379msochpdefault1;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle31
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>You can use the Suricata IPS anywhere in a network. <o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>We don’t use our Suricata installations as gateways. In my opinion Suricata is not setup to be a gateway because it really does not route.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> Jason Long [mailto:hack3rcon@yahoo.com] <br><b>Sent:</b> Tuesday, December 23, 2014 11:35 PM<br><b>To:</b> Leonard Jacobs; 'Menerick, John'; discussion@lists.openinfosecfoundation.org<br><b>Subject:</b> Re: [Discussion] Ca I use Suricata in a local network?<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div id="yui_3_16_0_1_1419399005682_4995"><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica","sans-serif";color:black'>Thank you so much.<o:p></o:p></span></p></div><div id="yui_3_16_0_1_1419399005682_4995"><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica","sans-serif";color:black'>As I understand, I must use Suricata as a gateway. I have a Local network with 200 clients and my network is not large. I use TMG as a gateway and I want to know can I use Suricata in my local network and not as a Gateway ? Sorry, My question may funny but to be honest, I don't know any more about IPS.<o:p></o:p></span></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt;background:white'><span style='font-family:"Helvetica","sans-serif";color:black'><o:p> </o:p></span></p></div><div><div><div><div><p class=MsoNormal style='background:white'><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>On Monday, December 22, 2014 9:16 AM, Leonard Jacobs <<a href="mailto:ljacobs@netsecuris.com">ljacobs@netsecuris.com</a>> wrote:</span><span style='font-family:"Helvetica","sans-serif";color:black'><o:p></o:p></span></p></div><p class=MsoNormal style='margin-bottom:12.0pt;background:white'><span style='font-family:"Helvetica","sans-serif";color:black'><o:p> </o:p></span></p><div><div id=yiv5651814379><div><div><div><p class=MsoNormal style='background:white'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>You could also use Suricata setup to run in af-packet mode to perform IPS. I find it more efficient than using Suricata with Iptables for doing dropping of malicious packets. We have been using Af-Packet ips mode for a long time.</span><span style='font-family:"Helvetica","sans-serif";color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-family:"Helvetica","sans-serif";color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><a href="https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/" target="_blank">https://home.regit.org/2012/09/new-af_packet-ips-mode-in-suricata/</a> Don’t forget If you want to drop a packet then the signature needs to be changed from alert to drop.</span><span style='font-family:"Helvetica","sans-serif";color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-family:"Helvetica","sans-serif";color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Acquisition_API">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Packet_Acquisition_API</a></span><span style='font-family:"Helvetica","sans-serif";color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span style='font-family:"Helvetica","sans-serif";color:black'><o:p></o:p></span></p></div><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><div><p class=MsoNormal style='background:white'><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif";color:black'> <a href="mailto:discussion-bounces@lists.openinfosecfoundation.org">discussion-bounces@lists.openinfosecfoundation.org</a> [<a href="mailto:discussion-bounces@lists.openinfosecfoundation.org">mailto:discussion-bounces@lists.openinfosecfoundation.org</a>] <b>On Behalf Of </b>Menerick, John<br><b>Sent:</b> Monday, December 22, 2014 11:07 AM<br><b>To:</b> Jason Long; <a href="mailto:discussion@lists.openinfosecfoundation.org">discussion@lists.openinfosecfoundation.org</a><br><b>Subject:</b> Re: [Discussion] Ca I use Suricata in a local network?</span><span style='font-family:"Helvetica","sans-serif";color:black'><o:p></o:p></span></p></div></div></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica","sans-serif";color:black'> <o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-family:"Helvetica","sans-serif";color:black'><br>Yes, you can. How you do it depends on the scale of your local network, equipment, and other information technology challenges. <a href="https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux" target="_blank">https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux</a> is one such example. For instance, if you need to scale far beyond a linux router, then you will augment your blocking with remote calls into your network equipment to enact the change.<br><br><br>Warmly,<br><br>John Menerick<br><a href="mailto:Security@NetSuite" target="_blank">Security@NetSuite</a><br><a href="http://www.securesql.info/" target="_blank">http://www.securesql.info</a><br><br>-----Original Message-----<br>From: <a href="mailto:discussion-bounces@lists.openinfosecfoundation.org" target="_blank">discussion-bounces@lists.openinfosecfoundation.org</a> [<a href="mailto:discussion-bounces@lists.openinfosecfoundation.org" target="_blank">mailto:discussion-bounces@lists.openinfosecfoundation.org</a>] On Behalf Of Jason Long<br>Sent: Monday, December 22, 2014 2:44 AM<br>To: <a href="mailto:discussion@lists.openinfosecfoundation.org" target="_blank">discussion@lists.openinfosecfoundation.org</a><br>Subject: [Discussion] Ca I use Suricata in a local network?<br><br>Hello Folks.<br>How are you?<br>Excuse me, I want to know can I use Suricata-IDS in a local network for blocked bad users in my network and prevent them to attack my servers? <br>Excuse me if my question is vague.<br><br>Cheers.<br>_______________________________________________<br>Discussion mailing list<br><a href="mailto:Discussion@lists.openinfosecfoundation.org" target="_blank">Discussion@lists.openinfosecfoundation.org</a><br><a href="https://lists.openinfosecfoundation.org/mailman/listinfo/discussion" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/discussion</a><br><br><br></span><span style='font-size:7.5pt;font-family:"Helvetica","sans-serif";color:black'>NOTICE: This email and any attachments may contain confidential and proprietary information of NetSuite Inc. and is for the sole use of the intended recipient for the stated purpose. Any improper use or distribution is prohibited. If you are not the intended recipient, please notify the sender; do not review, copy or distribute; and promptly delete or destroy all transmitted information. Please note that all communications and information transmitted through this email system may be monitored and retained by NetSuite or its agents and that all incoming email is automatically scanned by a third party spam and filtering service which may result in deletion of a legitimate e-mail before it is read by the intended recipient.</span><span style='font-family:"Helvetica","sans-serif";color:black'> <o:p></o:p></span></p></div></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt;background:white'><span style='font-family:"Helvetica","sans-serif";color:black'><o:p> </o:p></span></p></div></div></div></div></div></div></body></html>