[Oisf-users] Is is possible to restart suricata with zero drops when suricata-IPS crashes

Nelson, Cooper cnelson at ucsd.edu
Mon Nov 19 23:31:13 UTC 2018 

That's actually a great idea and easy to do with a switched tap like an Arista.

TBH *everyone* should be doing that anyway for redundancy, we just can't afford it currently.

-Coop

-----Original Message-----
From: Michał Purzyński <michalpurzynski1 at gmail.com> 
Sent: Monday, November 19, 2018 1:55 PM
To: Nelson, Cooper <cnelson at ucsd.edu>
Cc: kaviperumal22 at gmail.com; Open Information Security Foundation <oisf-users at lists.openinfosecfoundation.org>
Subject: Re: [Oisf-users] Is is possible to restart suricata with zero drops when suricata-IPS crashes

That's harder than it sounds and needs some architectural changes.

You could run two sensors in a fault-tolerant configuration and have them monitor the same traffic and never restart them at the same time, I guess.
There is a reason no IDS on the market can do it (unless run in some kind of FT mode).

Or, like Cooper said, run IPS and do not forward packets when Suricata is down.

Or just live with it.
On Mon, Nov 19, 2018 at 11:02 AM Nelson, Cooper <cnelson at ucsd.edu> wrote:
>
> If you really wanted to do something like this I would suggest spinning up an indexed full-packet capture solution (like moloch) and then running suricata in off-line mode against the resulting pcaps if it crashes.  Not an ideal solution but it will work.
>
>
>
> IF you want suricata to ‘fail closed’ so no data is passed l think it will do this if it’s configured inline in IPS mode.  In IDS mode you could always uses a monitoring tool to run a script to shutdown an interface if the suricata process is not running.
>
>
>
> -Coop
>
>
>
> From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> 
> On Behalf Of kavi perumal
> Sent: Sunday, November 18, 2018 9:40 PM
> To: oisf-users at lists.openinfosecfoundation.org
> Subject: [Oisf-users] Is is possible to restart suricata with zero 
> drops when suricata-IPS crashes
>
>
>
> Hi,
>
>
>
> When running suricata in IDS (or) IPS mode in data path, when there is a crash/failure in suricata, is it possible to restart suricata with zero packet drops?
>
>
>
> (or) any way to bypass the traffic until suricata gets restarted?
>
>
>
> Regards
>
> -Kavi Perumal G.
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: 
> http://suricata-ids.org/support/
> List: 
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/

More information about the Oisf-users mailing list