[Oisf-users] Suricata IPS ???

Cooper F. Nelson cnelson at ucsd.edu
Fri Oct 31 19:43:47 UTC 2014

Hash: SHA1

Suricata is primarily an IDS, which is an intrusion detection system.
So, you can use it to detect DOS attacks against your network

It can also be configured as an IPS to drop packets that match a signature.

The problem is that lots of the DOS signatures use the 'threshold'
keyword to detect events, which doesn't work very well with a drop rule.
 All the packets up to the threshold limit are going to be allowed into
your network (which may be acceptable in some cases).

Additionally, as I'm am currently painfully aware, if you do not use a
firewall to prevent the big DOS attacks from reaching suricata, you end
up with suricata being DOS'ed itself.

- -Coop

On 10/31/2014 12:07 PM, Jeripotula, Shashiraj wrote:
> Not sure, then, what is the purpose of emerging-dos.rules from emerging threats ???
> -----Original Message-----
> From: Cooper F. Nelson [mailto:cnelson at ucsd.edu] 
> Sent: Friday, October 31, 2014 12:02 PM
> To: Jeripotula, Shashiraj; oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata IPS ???
> I wouldn't use suricata to prevent DOS attacks, I would use a firewall.
> I haven't tried it with suricata, but there is an open-source project to automate this with snort:
> http://www.snortsam.net/
> Take care to only block DOS attacks where you are confident of the source address!
> -Coop
> On 10/31/2014 11:55 AM, Jeripotula, Shashiraj wrote:
>> Thank Coop,
>> For the immediate reponse.
>> Anoop mentioned the same thing.
>> But, there are so many rules, so many alerts. Which one to change to drop.
>> What is the efficient way of using Suricata as IPS and preventing dos attacks.
>> Thanks
>> Raj

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
Version: GnuPG v2.0.17 (MingW32)


More information about the Oisf-users mailing list