[Oisf-devel] Storing suricata rules in database

Peter Manev petermanev at gmail.com
Sun Oct 18 19:56:54 UTC 2015



> On 18 okt. 2015, at 20:33, ravin goyal <ravirocks1021 at gmail.com> wrote:
> 
> 
> On 18-Oct-2015 10:07 PM, "Jason Ish" <lists at unx.ca> wrote:
> >
> > On Fri, Oct 16, 2015 at 6:33 AM, ravin goyal <ravirocks1021 at gmail.com> wrote:
> > > Hii all, I am working on suricata-2.0.8 and implemented it in IPS mode
> > > to inspect ssl certificate , I am specifically want to inspect ssl
> > > traffic and based upon the   tls subject field values, we are dropping
> > > the packets.
> > > Works pretty well
> > >
> > >
> > > But I want to link database with suricata to store rules rather than
> > > flat file structure.
> > > I am going through the source code but I don't know where should I
> > > begin my journey.
> > >
> > > I would appreciate if you provide an alternate solution to my
> > > scenario, if my idea seems pretty broken.
> >
> > I'd try a simpler approach like a small tool that pulled the rules out
> > of the database, wrote out the files and then sent Suricata a reload
> > signal. If using PostgreSQL, have it run in the background, wait for
> > Postgres notifications, write out the rules files and reload.
> >
> > I think I'd explore something like that before modifying Suricata.
> 
> Thanks jason , I would try out it first as you have suggest, but my concern is related to real time performance issues with flat file structure.
> 

How is real time performance related to  one rule file that Suricata reads/reloads from - being less performant as opposed to database handling it the process ?


> I want to eliminate the concept of file in it
> As database keep on updating (with each read write operation) ,suricata behaves accordingly( dropping packets as per the rules). 
> Wouldn't it be much simpler??
> 
> Regards
> 
> _______________________________________________
> Suricata IDS Devel mailing list: oisf-devel at openinfosecfoundation.org
> Site: http://suricata-ids.org | Participate: http://suricata-ids.org/participate/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-devel
> Redmine: https://redmine.openinfosecfoundation.org/
> Developer Training in Copenhagen Sept 14-18: http://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-devel/attachments/20151018/96d5aff2/attachment-0002.html>


More information about the Oisf-devel mailing list