[Oisf-users] Two questions about using suricata as IPS in production environments
C. L. Martinez
carlopmart at gmail.com
Fri Jan 23 07:16:58 UTC 2015
Hi all,
After sometime using suricata as IDS in our infrastructure, next step
is to move these suricata sensors as an IPS.
At this point I have some doubts. From the point of view of software
and hardware failure, I see two "problems":
a) If we made some mistake reconfiguring suricata, or appears some
error with rules or if appears some another type of problem at
software level, suricata stops. Then, due to this is a production
environment, all traffic that cross this sensor, it doesn't flow. If I
am not wrong, configuring a bridge at SO level, this problem
disappears. Is it correct??
b) The most important problem: a hardware failure (network interfaces
goes down). What to do in this case?? Due to this is an
electronic/electrical problem, what type of hardware do I need to
use?? Commercial products as for example, Sourcefire appliances solves
these type of problems.
There is a third path to avoid a hardware problem: use virtualization
(ESXi as a first option). But this is an important performance
penalty.
Suggestions?? Ideas??
All suricata IDS sensors are installed in FreeBSD hosts ... And this
is our first SO option. I don't want to use any Linux with systemd in
production environments.
Many thanks for your help.
More information about the Oisf-users
mailing list