[Oisf-users] Two questions about using suricata as IPS in production environments

Andreas Herz andi at geekosphere.org
Fri Jan 23 08:46:32 UTC 2015

On 23/01/15 at 07:16, C. L. Martinez wrote:
> Hi all,
>  After sometime using suricata as IDS in our infrastructure, next step
> is to move these suricata sensors as an IPS.
>  At this point I have some doubts. From the point of view of software
> and hardware failure, I see two "problems":
> a) If we made some mistake reconfiguring suricata, or appears some
> error with rules or if appears some another type of problem at
> software level, suricata stops. Then, due to this is a production
> environment, all traffic that cross this sensor, it doesn't flow. If I
> am not wrong, configuring a bridge at SO level, this problem
> disappears. Is it correct??

There are several solutions, we're using a script which starts suricata
in IPS mode and also works as a watchdog to handle such an issue.
I'm not sure how FreeBSD works, but newer linux kernels allow -j NFQUEUE
with an option to accept when the QUEUE gets full or won't react.

> b) The most important problem: a hardware failure (network interfaces
> goes down). What to do in this case?? Due to this is an
> electronic/electrical problem, what type of hardware do I need to
> use?? Commercial products as for example, Sourcefire appliances solves
> these type of problems.

How do they solve those problems? It depends on your setup how to deal
with such issues. In IPS mode (at least in our scenario) the interface
going down won't do anything since the IPS mode is not bound to an
interface but to the iptables/netfilter section.

> There is a third path to avoid a hardware problem: use virtualization
> (ESXi as a first option). But this is an important performance
> penalty.
> Suggestions?? Ideas??
> All suricata IDS sensors are installed in FreeBSD hosts ... And this
> is our first SO option. I don't want to use any Linux with systemd in
> production environments.
> Many thanks for your help.
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Training now available: http://suricata-ids.org/training/

Andreas Herz

More information about the Oisf-users mailing list