[Oisf-users] Suricata deployment

corenor corenor at gmail.com
Thu Apr 7 00:29:38 UTC 2011


I wanted to share with the list my experiences with this excellent ids solution.

I have a custom 'appliance' attached to a 1gbps network tap that is
inside our firewall.  The exterior Internet link is 200mbs but full
gig bursts are possible between various segments that cross this
inspection point.

The 'appliance' is built on fc9 so I figured I could compile or
install snort on the box and retrieve valuable info about the traffic.

I had several challenges with snort.  I could not get the most recent
version to compile un fedora core 9.  The older version did not like
most of the snort rules since they introduced new variable types.

I first compiled and configured suricata 1.0. This was not very stable
so I switched to the 1.1 beta.  I am using the emerging threat rules
along with barnyard2 output and feeding the results to qradar.

Everything is working very well with no stability issues.

Regards, and thank you for this project.



On 4/1/11, Martin Holste <mcholste at gmail.com> wrote:
> Couldn't find it on Google, so I thought I'd put it to the list:
> what's the easiest (and most scriptable) way to suppress an event in
> Suricata?  Can I write to a file and HUP Suricata?  This would be for
> FP tuning from a web GUI.
>
> Thanks,
>
> Martin
> _______________________________________________
> Oisf-users mailing list
> Oisf-users at openinfosecfoundation.org
> http://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>

-- 
Sent from my mobile device



More information about the Oisf-users mailing list