[Oisf-users] Two questions about using suricata as IPS in production environments

Andreas Herz andi at geekosphere.org
Fri Jan 23 12:18:27 UTC 2015

On 23/01/15 at 12:11, C. L. Martinez wrote:
> On Fri, Jan 23, 2015 at 11:59 AM, Andreas Herz <andi at geekosphere.org> wrote:
> > On 23/01/15 at 11:55, C. L. Martinez wrote:
> >> On Fri, Jan 23, 2015 at 11:22 AM, Andreas Herz <andi at geekosphere.org> wrote:
> >> > I thought you were just refering to the feature for IPS mode to let the
> >> > flow going even when suricata crashes/quits.
> >>
> >> Sure. But, if I am not wrong, if I configure a bridge at SO level, it
> >> is not need to deploy a script to watch suricata process .. Right?
> >
> > I don't understand what you mean with this in detail.
> >
> oops, sorry. I will try to explain it better. Instead of use a
> watchdog/script when some type of problem occurs with suricata at
> software level (restart suricata, reload rules, etc..) I can configure
> a bridge between two nics in the host. If suricata stops for any
> reason, traffic isn't dropped. Correct??

As i said that depends on your setup, i'm not that familiar with

For example i start suricata like this:

 suricata -c /etc/suricata/suricata.config -q 0

And my relevant part in iptables/netfilter is:

 iptables -A IDS -j NFQUEUE --queue-num 0

So all packets are going into the QUEUE 0 at which suricata is
listening. So when the QUEUE runs into troubles (suricata crashed)
traffic stops. So either i have a script to restart suricata, i flush
the IDS rule or i use something like –queue-bypass describe here:


Maybe someone with more *BSD experience can help you more.

Andreas Herz

More information about the Oisf-users mailing list