[Oisf-users] Two questions about using suricata as IPS in production environments

Andreas Herz andi at geekosphere.org
Fri Jan 23 10:16:52 UTC 2015 

On 23/01/15 at 09:18, C. L. Martinez wrote:
> On Fri, Jan 23, 2015 at 8:46 AM, Andreas Herz <andi at geekosphere.org> wrote:
> > On 23/01/15 at 07:16, C. L. Martinez wrote:
> >> Hi all,
> >>
> >>  After sometime using suricata as IDS in our infrastructure, next step
> >> is to move these suricata sensors as an IPS.
> >>
> >>  At this point I have some doubts. From the point of view of software
> >> and hardware failure, I see two "problems":
> >>
> >> a) If we made some mistake reconfiguring suricata, or appears some
> >> error with rules or if appears some another type of problem at
> >> software level, suricata stops. Then, due to this is a production
> >> environment, all traffic that cross this sensor, it doesn't flow. If I
> >> am not wrong, configuring a bridge at SO level, this problem
> >> disappears. Is it correct??
> >
> > There are several solutions, we're using a script which starts suricata
> > in IPS mode and also works as a watchdog to handle such an issue.
> > I'm not sure how FreeBSD works, but newer linux kernels allow -j NFQUEUE
> > with an option to accept when the QUEUE gets full or won't react.
> >
> >> b) The most important problem: a hardware failure (network interfaces
> >> goes down). What to do in this case?? Due to this is an
> >> electronic/electrical problem, what type of hardware do I need to
> >> use?? Commercial products as for example, Sourcefire appliances solves
> >> these type of problems.
> >
> > How do they solve those problems? It depends on your setup how to deal
> > with such issues. In IPS mode (at least in our scenario) the interface
> > going down won't do anything since the IPS mode is not bound to an
> > interface but to the iptables/netfilter section.
> 
> Here it is: ftp://212.131.174.198/Sourcefire/Sourcefire%203D%20Sensor%20Bypass-Fail-Open%20Modes%20White%20Paper.pdf

Nothing fancy. You can implement that rather easy with a
watchdog/script.

But as i said that really depends on the exact setup you have and how
you start suricata etc.

-- 
Andreas Herz

More information about the Oisf-users mailing list