[Oisf-users] Two questions about using suricata as IPS in production environments

[C. L. Martinez]

On Fri, Jan 23, 2015 at 8:46 AM, Andreas Herz <andi at geekosphere.org> wrote:
> On 23/01/15 at 07:16, C. L. Martinez wrote:
>> Hi all,
>>
>>  After sometime using suricata as IDS in our infrastructure, next step
>> is to move these suricata sensors as an IPS.
>>
>>  At this point I have some doubts. From the point of view of software
>> and hardware failure, I see two "problems":
>>
>> a) If we made some mistake reconfiguring suricata, or appears some
>> error with rules or if appears some another type of problem at
>> software level, suricata stops. Then, due to this is a production
>> environment, all traffic that cross this sensor, it doesn't flow. If I
>> am not wrong, configuring a bridge at SO level, this problem
>> disappears. Is it correct??
>
> There are several solutions, we're using a script which starts suricata
> in IPS mode and also works as a watchdog to handle such an issue.
> I'm not sure how FreeBSD works, but newer linux kernels allow -j NFQUEUE
> with an option to accept when the QUEUE gets full or won't react.
>
>> b) The most important problem: a hardware failure (network interfaces
>> goes down). What to do in this case?? Due to this is an
>> electronic/electrical problem, what type of hardware do I need to
>> use?? Commercial products as for example, Sourcefire appliances solves
>> these type of problems.
>
> How do they solve those problems? It depends on your setup how to deal
> with such issues. In IPS mode (at least in our scenario) the interface
> going down won't do anything since the IPS mode is not bound to an
> interface but to the iptables/netfilter section.

Here it is: ftp://212.131.174.198/Sourcefire/Sourcefire%203D%20Sensor%20Bypass-Fail-Open%20Modes%20White%20Paper.pdf