[Oisf-users] Suricata IPS ???

Cooper F. Nelson cnelson at ucsd.edu
Fri Oct 31 19:43:47 UTC 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Suricata is primarily an IDS, which is an intrusion detection system.
So, you can use it to detect DOS attacks against your network
infrastructure.

It can also be configured as an IPS to drop packets that match a signature.

The problem is that lots of the DOS signatures use the 'threshold'
keyword to detect events, which doesn't work very well with a drop rule.
 All the packets up to the threshold limit are going to be allowed into
your network (which may be acceptable in some cases).

Additionally, as I'm am currently painfully aware, if you do not use a
firewall to prevent the big DOS attacks from reaching suricata, you end
up with suricata being DOS'ed itself.

- -Coop

On 10/31/2014 12:07 PM, Jeripotula, Shashiraj wrote:
> Not sure, then, what is the purpose of emerging-dos.rules from emerging threats ???
> 
> -----Original Message-----
> From: Cooper F. Nelson [mailto:cnelson at ucsd.edu] 
> Sent: Friday, October 31, 2014 12:02 PM
> To: Jeripotula, Shashiraj; oisf-users at lists.openinfosecfoundation.org
> Subject: Re: [Oisf-users] Suricata IPS ???
> 
> I wouldn't use suricata to prevent DOS attacks, I would use a firewall.
> 
> I haven't tried it with suricata, but there is an open-source project to automate this with snort:
> 
> http://www.snortsam.net/
> 
> Take care to only block DOS attacks where you are confident of the source address!
> 
> -Coop
> 
> On 10/31/2014 11:55 AM, Jeripotula, Shashiraj wrote:
>> Thank Coop,
> 
>> For the immediate reponse.
> 
>> Anoop mentioned the same thing.
> 
>> But, there are so many rules, so many alerts. Which one to change to drop.
> 
>> What is the efficient way of using Suricata as IPS and preventing dos attacks.
> 
>> Thanks
> 
>> Raj
> 
> 
> 

- -- 
Cooper Nelson
Network Security Analyst
UCSD ACT Security Team
cnelson at ucsd.edu x41042
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJUU+ZzAAoJEKIFRYQsa8FW8+IH/A8kmM2jYVw4SEhTwz2l1tcj
u5pnEZm6wd9F83BTrvcX6SLYgo3GLMmu7RK7A5pjbueZJs/9bkoMKVQS78F6oL8t
K4P/UrG5gjOmrf6xv00mLC2vvI5p3yJCNyKHiUkCW+oLfMlS320BWTEJkTd8yWaw
aQ4uBOqU5R8LDYFk0t+bQtI5tFSZrKXyX3Q5narbUYaEm88SiQxWQeH+MN3tciAF
Kcoke2uJcHZEw1xup8w6hiTUU8aADugaYj6rLKm6DceEsSZ2Nuhw0mWOIyYH9qMF
EsY1un7Gf10zj1BMBeecXPFcfno/LSmpy+22Czw5QQX/6HhwD1soPAiOencCMt0=
=t2sb
-----END PGP SIGNATURE-----



More information about the Oisf-users mailing list