<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>A process isn't going to be able to resurrect itself if it dies
unexpectedly so you'll need an external monitoring solution. This
could be a simple bash script that is run by cron every minute
(assuming 60 isn't too long to be down) that checks if the
suricata process is running and starts it if it isn't. Or you
could go with an arguably more robust and full-featured option;
something like Monit (<a class="moz-txt-link-freetext" href="https://mmonit.com/monit/">https://mmonit.com/monit/</a>), supervisord
(<a class="moz-txt-link-freetext" href="http://supervisord.org/">http://supervisord.org/</a>), or one of the other similar solutions
out there.<br>
</p>
<p>-David<br>
</p>
<div class="moz-cite-prefix">On 11/19/18 11:26 PM, kavi perumal
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAC4AxKkDPR3Nb_U3JgFBfZiJ5AzPMXwRaCFsx9L=NyzovXKgXw@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">Hi All,
<div><br>
</div>
<div>Thanks for comments. </div>
<div>
<h3 class="gmail-iw"
style="overflow:hidden;white-space:nowrap;max-width:92%;font-size:0.75rem;font-weight:inherit;margin:inherit;font-family:Roboto,RobotoDraft,Helvetica,Arial,sans-serif;letter-spacing:0.3px;color:rgb(95,99,104);line-height:20px"><span
class="gmail-qu" tabindex="-1" style="outline:none"><span
name="Nelson, Cooper" class="gmail-gD"
style="color:rgb(32,33,36);font-size:0.875rem;font-weight:bold;display:inline;vertical-align:top;letter-spacing:0.2px;line-height:20px">Nelson,
Cooper, </span></span>Michał Purzyński, Actually my
requirement is to allow all traffic incase suricata is down.
i don't want to drop packets.</h3>
</div>
<div>@Nelson, Cooper: is there any configuration to configure
suricata to restart by itself incase of failure with in a
specific time?<br>
</div>
<div><br>
</div>
<div>Regards</div>
<div>-Kavi Perumal G.</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr">On Tue, Nov 20, 2018 at 5:02 AM Nelson, Cooper
<<a href="mailto:cnelson@ucsd.edu" moz-do-not-send="true">cnelson@ucsd.edu</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">That's
actually a great idea and easy to do with a switched tap like
an Arista.<br>
<br>
TBH *everyone* should be doing that anyway for redundancy, we
just can't afford it currently.<br>
<br>
-Coop<br>
<br>
-----Original Message-----<br>
From: Michał Purzyński <<a
href="mailto:michalpurzynski1@gmail.com" target="_blank"
moz-do-not-send="true">michalpurzynski1@gmail.com</a>> <br>
Sent: Monday, November 19, 2018 1:55 PM<br>
To: Nelson, Cooper <<a href="mailto:cnelson@ucsd.edu"
target="_blank" moz-do-not-send="true">cnelson@ucsd.edu</a>><br>
Cc: <a href="mailto:kaviperumal22@gmail.com" target="_blank"
moz-do-not-send="true">kaviperumal22@gmail.com</a>; Open
Information Security Foundation <<a
href="mailto:oisf-users@lists.openinfosecfoundation.org"
target="_blank" moz-do-not-send="true">oisf-users@lists.openinfosecfoundation.org</a>><br>
Subject: Re: [Oisf-users] Is is possible to restart suricata
with zero drops when suricata-IPS crashes<br>
<br>
That's harder than it sounds and needs some architectural
changes.<br>
<br>
You could run two sensors in a fault-tolerant configuration
and have them monitor the same traffic and never restart them
at the same time, I guess.<br>
There is a reason no IDS on the market can do it (unless run
in some kind of FT mode).<br>
<br>
Or, like Cooper said, run IPS and do not forward packets when
Suricata is down.<br>
<br>
Or just live with it.<br>
On Mon, Nov 19, 2018 at 11:02 AM Nelson, Cooper <<a
href="mailto:cnelson@ucsd.edu" target="_blank"
moz-do-not-send="true">cnelson@ucsd.edu</a>> wrote:<br>
><br>
> If you really wanted to do something like this I would
suggest spinning up an indexed full-packet capture solution
(like moloch) and then running suricata in off-line mode
against the resulting pcaps if it crashes. Not an ideal
solution but it will work.<br>
><br>
><br>
><br>
> IF you want suricata to ‘fail closed’ so no data is
passed l think it will do this if it’s configured inline in
IPS mode. In IDS mode you could always uses a monitoring tool
to run a script to shutdown an interface if the suricata
process is not running.<br>
><br>
><br>
><br>
> -Coop<br>
><br>
><br>
><br>
> From: Oisf-users <<a
href="mailto:oisf-users-bounces@lists.openinfosecfoundation.org"
target="_blank" moz-do-not-send="true">oisf-users-bounces@lists.openinfosecfoundation.org</a>>
<br>
> On Behalf Of kavi perumal<br>
> Sent: Sunday, November 18, 2018 9:40 PM<br>
> To: <a
href="mailto:oisf-users@lists.openinfosecfoundation.org"
target="_blank" moz-do-not-send="true">oisf-users@lists.openinfosecfoundation.org</a><br>
> Subject: [Oisf-users] Is is possible to restart suricata
with zero <br>
> drops when suricata-IPS crashes<br>
><br>
><br>
><br>
> Hi,<br>
><br>
><br>
><br>
> When running suricata in IDS (or) IPS mode in data path,
when there is a crash/failure in suricata, is it possible to
restart suricata with zero packet drops?<br>
><br>
><br>
><br>
> (or) any way to bypass the traffic until suricata gets
restarted?<br>
><br>
><br>
><br>
> Regards<br>
><br>
> -Kavi Perumal G.<br>
><br>
> _______________________________________________<br>
> Suricata IDS Users mailing list: <a
href="mailto:oisf-users@openinfosecfoundation.org"
target="_blank" moz-do-not-send="true">oisf-users@openinfosecfoundation.org</a><br>
> Site: <a href="http://suricata-ids.org" rel="noreferrer"
target="_blank" moz-do-not-send="true">http://suricata-ids.org</a>
| Support: <br>
> <a href="http://suricata-ids.org/support/"
rel="noreferrer" target="_blank" moz-do-not-send="true">http://suricata-ids.org/support/</a><br>
> List: <br>
> <a
href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
><br>
> Conference: <a href="https://suricon.net"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://suricon.net</a><br>
> Trainings: <a href="https://suricata-ids.org/training/"
rel="noreferrer" target="_blank" moz-do-not-send="true">https://suricata-ids.org/training/</a><br>
</blockquote>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Suricata IDS Users mailing list: <a class="moz-txt-link-abbreviated" href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a>
Site: <a class="moz-txt-link-freetext" href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a class="moz-txt-link-freetext" href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a>
List: <a class="moz-txt-link-freetext" href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a>
Conference: <a class="moz-txt-link-freetext" href="https://suricon.net">https://suricon.net</a>
Trainings: <a class="moz-txt-link-freetext" href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a></pre>
</blockquote>
</body>
</html>