[Oisf-users] Two questions about using suricata as IPS in production environments

Fri Jan 23 11:55:13 UTC 2015

On Fri, Jan 23, 2015 at 11:22 AM, Andreas Herz <andi at geekosphere.org> wrote:
> On 23/01/15 at 10:32, C. L. Martinez wrote:
>> On Fri, Jan 23, 2015 at 10:16 AM, Andreas Herz <andi at geekosphere.org> wrote:
>> > On 23/01/15 at 09:18, C. L. Martinez wrote:
>> >> On Fri, Jan 23, 2015 at 8:46 AM, Andreas Herz <andi at geekosphere.org> wrote:
>> >> > On 23/01/15 at 07:16, C. L. Martinez wrote:
>> >> >> Hi all,
>> >> >>
>> >> >>  After sometime using suricata as IDS in our infrastructure, next step
>> >> >> is to move these suricata sensors as an IPS.
>> >> >>
>> >> >>  At this point I have some doubts. From the point of view of software
>> >> >> and hardware failure, I see two "problems":
>> >> >>
>> >> >> a) If we made some mistake reconfiguring suricata, or appears some
>> >> >> error with rules or if appears some another type of problem at
>> >> >> software level, suricata stops. Then, due to this is a production
>> >> >> environment, all traffic that cross this sensor, it doesn't flow. If I
>> >> >> am not wrong, configuring a bridge at SO level, this problem
>> >> >> disappears. Is it correct??
>> >> >
>> >> > There are several solutions, we're using a script which starts suricata
>> >> > in IPS mode and also works as a watchdog to handle such an issue.
>> >> > I'm not sure how FreeBSD works, but newer linux kernels allow -j NFQUEUE
>> >> > with an option to accept when the QUEUE gets full or won't react.
>> >> >
>> >> >> b) The most important problem: a hardware failure (network interfaces
>> >> >> goes down). What to do in this case?? Due to this is an
>> >> >> electronic/electrical problem, what type of hardware do I need to
>> >> >> use?? Commercial products as for example, Sourcefire appliances solves
>> >> >> these type of problems.
>> >> >
>> >> > How do they solve those problems? It depends on your setup how to deal
>> >> > with such issues. In IPS mode (at least in our scenario) the interface
>> >> > going down won't do anything since the IPS mode is not bound to an
>> >> > interface but to the iptables/netfilter section.
>> >>
>> >> Here it is: ftp://212.131.174.198/Sourcefire/Sourcefire%203D%20Sensor%20Bypass-Fail-Open%20Modes%20White%20Paper.pdf
>> >
>> > Nothing fancy. You can implement that rather easy with a
>> > watchdog/script.
>> >
>> > But as i said that really depends on the exact setup you have and how
>> > you start suricata etc.
>>
>> Thanks Andreas, but i don't see how can I implement this using a
>> script when for example server is rebooted.
>
> Well for this you need to setup a failover/cluster solution maybe.

Ah .. Ok. This was my first idea.

> I thought you were just refering to the feature for IPS mode to let the
> flow going even when suricata crashes/quits.

Sure. But, if I am not wrong, if I configure a bridge at SO level, it
is not need to deploy a script to watch suricata process .. Right?