[Oisf-users] Is is possible to restart suricata with zero drops when suricata-IPS crashes
Nelson, Cooper
cnelson at ucsd.edu
Mon Nov 19 19:01:45 UTC 2018
If you really wanted to do something like this I would suggest spinning up an indexed full-packet capture solution (like moloch) and then running suricata in off-line mode against the resulting pcaps if it crashes. Not an ideal solution but it will work.
IF you want suricata to ‘fail closed’ so no data is passed l think it will do this if it’s configured inline in IPS mode. In IDS mode you could always uses a monitoring tool to run a script to shutdown an interface if the suricata process is not running.
-Coop
From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> On Behalf Of kavi perumal
Sent: Sunday, November 18, 2018 9:40 PM
To: oisf-users at lists.openinfosecfoundation.org
Subject: [Oisf-users] Is is possible to restart suricata with zero drops when suricata-IPS crashes
Hi,
When running suricata in IDS (or) IPS mode in data path, when there is a crash/failure in suricata, is it possible to restart suricata with zero packet drops?
(or) any way to bypass the traffic until suricata gets restarted?
Regards
-Kavi Perumal G.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181119/5ac994de/attachment-0001.html>
More information about the Oisf-users
mailing list