[Oisf-users] Two questions about using suricata as IPS in production environments

Shirkdog shirkdog at gmail.com
Fri Jan 23 13:17:50 UTC 2015

You should be able use divert sockets with ipfw on FreeBSD just like Snort
to achieve IPS functionality.
On 23/01/15 at 12:11, C. L. Martinez wrote:
> On Fri, Jan 23, 2015 at 11:59 AM, Andreas Herz <andi at geekosphere.org>
> > On 23/01/15 at 11:55, C. L. Martinez wrote:
> >> On Fri, Jan 23, 2015 at 11:22 AM, Andreas Herz <andi at geekosphere.org>
> >> > I thought you were just refering to the feature for IPS mode to let
> >> > flow going even when suricata crashes/quits.
> >>
> >> Sure. But, if I am not wrong, if I configure a bridge at SO level, it
> >> is not need to deploy a script to watch suricata process .. Right?
> >
> > I don't understand what you mean with this in detail.
> >
> oops, sorry. I will try to explain it better. Instead of use a
> watchdog/script when some type of problem occurs with suricata at
> software level (restart suricata, reload rules, etc..) I can configure
> a bridge between two nics in the host. If suricata stops for any
> reason, traffic isn't dropped. Correct??

As i said that depends on your setup, i'm not that familiar with

For example i start suricata like this:

 suricata -c /etc/suricata/suricata.config -q 0

And my relevant part in iptables/netfilter is:

 iptables -A IDS -j NFQUEUE --queue-num 0

So all packets are going into the QUEUE 0 at which suricata is
listening. So when the QUEUE runs into troubles (suricata crashed)
traffic stops. So either i have a script to restart suricata, i flush
the IDS rule or i use something like –queue-bypass describe here:


Maybe someone with more *BSD experience can help you more.

Andreas Herz
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Training now available: http://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150123/af2f3cc2/attachment-0002.html>

More information about the Oisf-users mailing list