[Oisf-users] Restart suricata in IPS mode without traffic loss
Eric Leblond
eric at regit.org
Tue Mar 12 12:06:15 UTC 2013
Hi,
On Tue, 2013-03-12 at 11:49 +0000, Stefan Sabolowitsch wrote:
> Hi all,
> im not a ipfilter / iptables Guru.
>
> how do i restart suricata without loosing good traffic, currently if i kill the process and restart i lose about 30 seconds of traffic while suricata restarts, not good on an ecommerce site.
> I also would like a fail safe nfqueue bypass in case things go wrong, at the moment if snort goes down i also get locked out but its on a cron job to restart if its down for more than 1 minute.
>
> I need some advice please (start / stop script nfqueue and suri)…..
To deal with suricata restart, you can use the --queue-bypass option of
NFQUEUE. This modify NFQUEUE behavior to have it accept packet when no
program is listening to the packet.
In case of problem with a hang suricata, you can also used the fail-open
option which has recently been introduced into suricata (and requires a
recent kernel). It modify kernel behavoir which will accept packet
instead of dropping them when a queue is full (which occurs if process
is hang).
One other point you can consider is using the live rule swap features of
suricata:
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Live_Rule_Swap
This will allow you not to restart Suricata to update rules.
BR,
>
> thanks for any help.
> Stefan
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
--
Eric Leblond <eric at regit.org>
Blog: https://home.regit.org/
More information about the Oisf-users
mailing list