[Oisf-users] Two questions about using suricata as IPS in production environments

Leonard Jacobs ljacobs at netsecuris.com
Fri Jan 23 14:00:54 UTC 2015

Maybe the other option is to use af-packet method of IPS.
From: oisf-users-bounces at lists.openinfosecfoundation.org [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Shirkdog
Sent: Friday, January 23, 2015 7:18 AM
To: Andreas Herz
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Two questions about using suricata as IPS in production environments
You should be able use divert sockets with ipfw on FreeBSD just like Snort to achieve IPS functionality.
On 23/01/15 at 12:11, C. L. Martinez wrote:
> On Fri, Jan 23, 2015 at 11:59 AM, Andreas Herz <andi at geekosphere.org> wrote:
> > On 23/01/15 at 11:55, C. L. Martinez wrote:
> >> On Fri, Jan 23, 2015 at 11:22 AM, Andreas Herz <andi at geekosphere.org> wrote:
> >> > I thought you were just refering to the feature for IPS mode to let the
> >> > flow going even when suricata crashes/quits.
> >>
> >> Sure. But, if I am not wrong, if I configure a bridge at SO level, it
> >> is not need to deploy a script to watch suricata process .. Right?
> >
> > I don't understand what you mean with this in detail.
> >
> oops, sorry. I will try to explain it better. Instead of use a
> watchdog/script when some type of problem occurs with suricata at
> software level (restart suricata, reload rules, etc..) I can configure
> a bridge between two nics in the host. If suricata stops for any
> reason, traffic isn't dropped. Correct??

As i said that depends on your setup, i'm not that familiar with

For example i start suricata like this:

 suricata -c /etc/suricata/suricata.config -q 0

And my relevant part in iptables/netfilter is:

 iptables -A IDS -j NFQUEUE --queue-num 0

So all packets are going into the QUEUE 0 at which suricata is
listening. So when the QUEUE runs into troubles (suricata crashed)
traffic stops. So either i have a script to restart suricata, i flush
the IDS rule or i use something like –queue-bypass describe here:


Maybe someone with more *BSD experience can help you more.

Andreas Herz
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Training now available: http://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150123/d452df33/attachment-0002.html>

More information about the Oisf-users mailing list