[Oisf-users] Two questions about using suricata as IPS in production environments

Andreas Herz andi at geekosphere.org
Fri Jan 23 11:22:02 UTC 2015 

On 23/01/15 at 10:32, C. L. Martinez wrote:
> On Fri, Jan 23, 2015 at 10:16 AM, Andreas Herz <andi at geekosphere.org> wrote:
> > On 23/01/15 at 09:18, C. L. Martinez wrote:
> >> On Fri, Jan 23, 2015 at 8:46 AM, Andreas Herz <andi at geekosphere.org> wrote:
> >> > On 23/01/15 at 07:16, C. L. Martinez wrote:
> >> >> Hi all,
> >> >>
> >> >>  After sometime using suricata as IDS in our infrastructure, next step
> >> >> is to move these suricata sensors as an IPS.
> >> >>
> >> >>  At this point I have some doubts. From the point of view of software
> >> >> and hardware failure, I see two "problems":
> >> >>
> >> >> a) If we made some mistake reconfiguring suricata, or appears some
> >> >> error with rules or if appears some another type of problem at
> >> >> software level, suricata stops. Then, due to this is a production
> >> >> environment, all traffic that cross this sensor, it doesn't flow. If I
> >> >> am not wrong, configuring a bridge at SO level, this problem
> >> >> disappears. Is it correct??
> >> >
> >> > There are several solutions, we're using a script which starts suricata
> >> > in IPS mode and also works as a watchdog to handle such an issue.
> >> > I'm not sure how FreeBSD works, but newer linux kernels allow -j NFQUEUE
> >> > with an option to accept when the QUEUE gets full or won't react.
> >> >
> >> >> b) The most important problem: a hardware failure (network interfaces
> >> >> goes down). What to do in this case?? Due to this is an
> >> >> electronic/electrical problem, what type of hardware do I need to
> >> >> use?? Commercial products as for example, Sourcefire appliances solves
> >> >> these type of problems.
> >> >
> >> > How do they solve those problems? It depends on your setup how to deal
> >> > with such issues. In IPS mode (at least in our scenario) the interface
> >> > going down won't do anything since the IPS mode is not bound to an
> >> > interface but to the iptables/netfilter section.
> >>
> >> Here it is: ftp://212.131.174.198/Sourcefire/Sourcefire%203D%20Sensor%20Bypass-Fail-Open%20Modes%20White%20Paper.pdf
> >
> > Nothing fancy. You can implement that rather easy with a
> > watchdog/script.
> >
> > But as i said that really depends on the exact setup you have and how
> > you start suricata etc.
> 
> Thanks Andreas, but i don't see how can I implement this using a
> script when for example server is rebooted.

Well for this you need to setup a failover/cluster solution maybe.
I thought you were just refering to the feature for IPS mode to let the
flow going even when suricata crashes/quits.

-- 
Andreas Herz

More information about the Oisf-users mailing list