[Oisf-users] Suricata IPS ???

rmkml rmkml at yahoo.fr
Fri Oct 31 21:01:35 UTC 2014

Thx all,

Yes you are right Xavier, for big DDoS, need blocking on networks Providers,

but for "classic" everyday scan ip/port/web/..., request adding "Quarantine" mode on Suricata please,

allow blocking IP during configured time.
(use with caution)

Not avalaible on Suricata but it's on Roadmap ?

Of course quarantine function avalaible via external script.

Maybe create a new keyword on sig like quarantine:ip_src,1h,block;

(another mode for quarantine is rate-limit for example)

Another tip is create a new module receive all IPS alerts and when greater than x start quarantine...


On Fri, 31 Oct 2014, Xavier Romero wrote:

> In my case, I use Suricata to trigger an alert when a DOS/DDOS attack is in progress; then a very simple perl script catch these alerts and launch approppiate commands on our edge firewalls/routers.
> For a REAL DoS attack you need to launch BlackHole configurations to your transit providers, otherwise any device in your network would be dos'ed, so the fix needs to be applied before the attack hits your door.
> Best regards,
> Xavier Romero.
> Sent from my iPad
>> On 31 Oct 2014, at 20:46, "Cooper F. Nelson" <cnelson at ucsd.edu> wrote:
>> Hash: SHA1
>> Suricata is primarily an IDS, which is an intrusion detection system.
>> So, you can use it to detect DOS attacks against your network
>> infrastructure.
>> It can also be configured as an IPS to drop packets that match a signature.
>> The problem is that lots of the DOS signatures use the 'threshold'
>> keyword to detect events, which doesn't work very well with a drop rule.
>> All the packets up to the threshold limit are going to be allowed into
>> your network (which may be acceptable in some cases).
>> Additionally, as I'm am currently painfully aware, if you do not use a
>> firewall to prevent the big DOS attacks from reaching suricata, you end
>> up with suricata being DOS'ed itself.
>> - -Coop
>>> On 10/31/2014 12:07 PM, Jeripotula, Shashiraj wrote:
>>> Not sure, then, what is the purpose of emerging-dos.rules from emerging threats ???
>>> -----Original Message-----
>>> From: Cooper F. Nelson [mailto:cnelson at ucsd.edu]
>>> Sent: Friday, October 31, 2014 12:02 PM
>>> To: Jeripotula, Shashiraj; oisf-users at lists.openinfosecfoundation.org
>>> Subject: Re: [Oisf-users] Suricata IPS ???
>>> I wouldn't use suricata to prevent DOS attacks, I would use a firewall.
>>> I haven't tried it with suricata, but there is an open-source project to automate this with snort:
>>> http://www.snortsam.net/
>>> Take care to only block DOS attacks where you are confident of the source address!
>>> -Coop
>>>> On 10/31/2014 11:55 AM, Jeripotula, Shashiraj wrote:
>>>> Thank Coop,
>>>> For the immediate reponse.
>>>> Anoop mentioned the same thing.
>>>> But, there are so many rules, so many alerts. Which one to change to drop.
>>>> What is the efficient way of using Suricata as IPS and preventing dos attacks.
>>>> Thanks
>>>> Raj
>> - --
>> Cooper Nelson
>> Network Security Analyst
>> UCSD ACT Security Team
>> cnelson at ucsd.edu x41042

More information about the Oisf-users mailing list