[Oisf-users] Suricata - Reject in one-arm IPS/IDS mode

Rodgers, Anthony (DTMB) RodgersA1 at michigan.gov
Mon Mar 23 16:17:43 UTC 2015

Why not use a web proxy like squid for this?

Anthony Rodgers
Security Analyst
Michigan Security Operations Center (MiSOC)
DTMB, Michigan Cyber Security

From: oisf-users-bounces at lists.openinfosecfoundation.org [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Rovnov Pavel
Sent: Sunday, March 22, 2015 16:55
To: oisf-users at lists.openinfosecfoundation.org
Subject: [Oisf-users] Suricata - Reject in one-arm IPS/IDS mode


I'm considering to use Suricata as a monitoring solution. The task is to alert on a visits of particular web sites (HTTP or HTTPS). And now I'm in planning stage.

I would like to place Suricata out-of-band - a switch will mirror traffic to Suricata. I would like to log and to reset 'bad' TCP/HTTP sessions with REJECT action.

1)      Can I use reject when out-of-band?

2)      How can I specify interface to send rejects from? I can't use 2-way SPAN port on my switch.

There is something similar to question #2 discussed here (https://redmine.openinfosecfoundation.org/issues/957) but I can't understand the description...

Thanks a lot!

/ Pavel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20150323/9c097acb/attachment-0002.html>

More information about the Oisf-users mailing list