[Oisf-users] Two questions about using suricata as IPS in production environments

C. L. Martinez carlopmart at gmail.com
Fri Jan 23 10:32:12 UTC 2015

On Fri, Jan 23, 2015 at 10:16 AM, Andreas Herz <andi at geekosphere.org> wrote:
> On 23/01/15 at 09:18, C. L. Martinez wrote:
>> On Fri, Jan 23, 2015 at 8:46 AM, Andreas Herz <andi at geekosphere.org> wrote:
>> > On 23/01/15 at 07:16, C. L. Martinez wrote:
>> >> Hi all,
>> >>
>> >>  After sometime using suricata as IDS in our infrastructure, next step
>> >> is to move these suricata sensors as an IPS.
>> >>
>> >>  At this point I have some doubts. From the point of view of software
>> >> and hardware failure, I see two "problems":
>> >>
>> >> a) If we made some mistake reconfiguring suricata, or appears some
>> >> error with rules or if appears some another type of problem at
>> >> software level, suricata stops. Then, due to this is a production
>> >> environment, all traffic that cross this sensor, it doesn't flow. If I
>> >> am not wrong, configuring a bridge at SO level, this problem
>> >> disappears. Is it correct??
>> >
>> > There are several solutions, we're using a script which starts suricata
>> > in IPS mode and also works as a watchdog to handle such an issue.
>> > I'm not sure how FreeBSD works, but newer linux kernels allow -j NFQUEUE
>> > with an option to accept when the QUEUE gets full or won't react.
>> >
>> >> b) The most important problem: a hardware failure (network interfaces
>> >> goes down). What to do in this case?? Due to this is an
>> >> electronic/electrical problem, what type of hardware do I need to
>> >> use?? Commercial products as for example, Sourcefire appliances solves
>> >> these type of problems.
>> >
>> > How do they solve those problems? It depends on your setup how to deal
>> > with such issues. In IPS mode (at least in our scenario) the interface
>> > going down won't do anything since the IPS mode is not bound to an
>> > interface but to the iptables/netfilter section.
>> Here it is:
> Nothing fancy. You can implement that rather easy with a
> watchdog/script.
> But as i said that really depends on the exact setup you have and how
> you start suricata etc.

Thanks Andreas, but i don't see how can I implement this using a
script when for example server is rebooted.

More information about the Oisf-users mailing list