[Oisf-users] Suricata IPS ???

Xavier Romero XRomero at nexica.com
Fri Oct 31 20:02:41 UTC 2014

In my case, I use Suricata to trigger an alert when a DOS/DDOS attack is in progress; then a very simple perl script catch these alerts and launch approppiate commands on our edge firewalls/routers.

For a REAL DoS attack you need to launch BlackHole configurations to your transit providers, otherwise any device in your network would be dos'ed, so the fix needs to be applied before the attack hits your door.

Best regards,
Xavier Romero.

Sent from my iPad

> On 31 Oct 2014, at 20:46, "Cooper F. Nelson" <cnelson at ucsd.edu> wrote:
> Hash: SHA1
> Suricata is primarily an IDS, which is an intrusion detection system.
> So, you can use it to detect DOS attacks against your network
> infrastructure.
> It can also be configured as an IPS to drop packets that match a signature.
> The problem is that lots of the DOS signatures use the 'threshold'
> keyword to detect events, which doesn't work very well with a drop rule.
> All the packets up to the threshold limit are going to be allowed into
> your network (which may be acceptable in some cases).
> Additionally, as I'm am currently painfully aware, if you do not use a
> firewall to prevent the big DOS attacks from reaching suricata, you end
> up with suricata being DOS'ed itself.
> - -Coop
>> On 10/31/2014 12:07 PM, Jeripotula, Shashiraj wrote:
>> Not sure, then, what is the purpose of emerging-dos.rules from emerging threats ???
>> -----Original Message-----
>> From: Cooper F. Nelson [mailto:cnelson at ucsd.edu] 
>> Sent: Friday, October 31, 2014 12:02 PM
>> To: Jeripotula, Shashiraj; oisf-users at lists.openinfosecfoundation.org
>> Subject: Re: [Oisf-users] Suricata IPS ???
>> I wouldn't use suricata to prevent DOS attacks, I would use a firewall.
>> I haven't tried it with suricata, but there is an open-source project to automate this with snort:
>> http://www.snortsam.net/
>> Take care to only block DOS attacks where you are confident of the source address!
>> -Coop
>>> On 10/31/2014 11:55 AM, Jeripotula, Shashiraj wrote:
>>> Thank Coop,
>>> For the immediate reponse.
>>> Anoop mentioned the same thing.
>>> But, there are so many rules, so many alerts. Which one to change to drop.
>>> What is the efficient way of using Suricata as IPS and preventing dos attacks.
>>> Thanks
>>> Raj
> - -- 
> Cooper Nelson
> Network Security Analyst
> UCSD ACT Security Team
> cnelson at ucsd.edu x41042
> Version: GnuPG v2.0.17 (MingW32)
> u5pnEZm6wd9F83BTrvcX6SLYgo3GLMmu7RK7A5pjbueZJs/9bkoMKVQS78F6oL8t
> K4P/UrG5gjOmrf6xv00mLC2vvI5p3yJCNyKHiUkCW+oLfMlS320BWTEJkTd8yWaw
> aQ4uBOqU5R8LDYFk0t+bQtI5tFSZrKXyX3Q5narbUYaEm88SiQxWQeH+MN3tciAF
> Kcoke2uJcHZEw1xup8w6hiTUU8aADugaYj6rLKm6DceEsSZ2Nuhw0mWOIyYH9qMF
> EsY1un7Gf10zj1BMBeecXPFcfno/LSmpy+22Czw5QQX/6HhwD1soPAiOencCMt0=
> =t2sb
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/

More information about the Oisf-users mailing list