[Oisf-users] Two questions about using suricata as IPS in production environments

C. L. Martinez carlopmart at gmail.com
Fri Jan 23 07:16:58 UTC 2015

Hi all,

 After sometime using suricata as IDS in our infrastructure, next step
is to move these suricata sensors as an IPS.

 At this point I have some doubts. From the point of view of software
and hardware failure, I see two "problems":

a) If we made some mistake reconfiguring suricata, or appears some
error with rules or if appears some another type of problem at
software level, suricata stops. Then, due to this is a production
environment, all traffic that cross this sensor, it doesn't flow. If I
am not wrong, configuring a bridge at SO level, this problem
disappears. Is it correct??

b) The most important problem: a hardware failure (network interfaces
goes down). What to do in this case?? Due to this is an
electronic/electrical problem, what type of hardware do I need to
use?? Commercial products as for example, Sourcefire appliances solves
these type of problems.

There is a third path to avoid a hardware problem: use virtualization
(ESXi as a first option). But this is an important performance

Suggestions?? Ideas??

All suricata IDS sensors are installed in FreeBSD hosts ... And this
is our first SO option. I don't want to use any Linux with systemd in
production environments.

Many thanks for your help.

More information about the Oisf-users mailing list