[Oisf-users] Is is possible to restart suricata with zero drops when suricata-IPS crashes

Michał Purzyński michalpurzynski1 at gmail.com
Mon Nov 19 21:55:03 UTC 2018


That's harder than it sounds and needs some architectural changes.

You could run two sensors in a fault-tolerant configuration and have
them monitor the same traffic and never restart them at the same time,
I guess.
There is a reason no IDS on the market can do it (unless run in some
kind of FT mode).

Or, like Cooper said, run IPS and do not forward packets when Suricata is down.

Or just live with it.
On Mon, Nov 19, 2018 at 11:02 AM Nelson, Cooper <cnelson at ucsd.edu> wrote:
>
> If you really wanted to do something like this I would suggest spinning up an indexed full-packet capture solution (like moloch) and then running suricata in off-line mode against the resulting pcaps if it crashes.  Not an ideal solution but it will work.
>
>
>
> IF you want suricata to ‘fail closed’ so no data is passed l think it will do this if it’s configured inline in IPS mode.  In IDS mode you could always uses a monitoring tool to run a script to shutdown an interface if the suricata process is not running.
>
>
>
> -Coop
>
>
>
> From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> On Behalf Of kavi perumal
> Sent: Sunday, November 18, 2018 9:40 PM
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: [Oisf-users] Is is possible to restart suricata with zero drops when suricata-IPS crashes
>
>
>
> Hi,
>
>
>
> When running suricata in IDS (or) IPS mode in data path, when there is a crash/failure in suricata, is it possible to restart suricata with zero packet drops?
>
>
>
> (or) any way to bypass the traffic until suricata gets restarted?
>
>
>
> Regards
>
> -Kavi Perumal G.
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/


More information about the Oisf-users mailing list