[Oisf-users] Is is possible to restart suricata with zero drops when suricata-IPS crashes

kavi perumal kaviperumal22 at gmail.com
Tue Nov 20 04:26:59 UTC 2018 

Hi All,

Thanks for comments.
Nelson, Cooper, Michał Purzyński, Actually my requirement is to allow all
traffic incase suricata is down. i don't want to drop packets.
@Nelson, Cooper: is there any configuration to configure suricata to
restart by itself incase of failure with in a specific time?

Regards
-Kavi Perumal G.

On Tue, Nov 20, 2018 at 5:02 AM Nelson, Cooper <cnelson at ucsd.edu> wrote:

> That's actually a great idea and easy to do with a switched tap like an
> Arista.
>
> TBH *everyone* should be doing that anyway for redundancy, we just can't
> afford it currently.
>
> -Coop
>
> -----Original Message-----
> From: Michał Purzyński <michalpurzynski1 at gmail.com>
> Sent: Monday, November 19, 2018 1:55 PM
> To: Nelson, Cooper <cnelson at ucsd.edu>
> Cc: kaviperumal22 at gmail.com; Open Information Security Foundation <
> oisf-users at lists.openinfosecfoundation.org>
> Subject: Re: [Oisf-users] Is is possible to restart suricata with zero
> drops when suricata-IPS crashes
>
> That's harder than it sounds and needs some architectural changes.
>
> You could run two sensors in a fault-tolerant configuration and have them
> monitor the same traffic and never restart them at the same time, I guess.
> There is a reason no IDS on the market can do it (unless run in some kind
> of FT mode).
>
> Or, like Cooper said, run IPS and do not forward packets when Suricata is
> down.
>
> Or just live with it.
> On Mon, Nov 19, 2018 at 11:02 AM Nelson, Cooper <cnelson at ucsd.edu> wrote:
> >
> > If you really wanted to do something like this I would suggest spinning
> up an indexed full-packet capture solution (like moloch) and then running
> suricata in off-line mode against the resulting pcaps if it crashes.  Not
> an ideal solution but it will work.
> >
> >
> >
> > IF you want suricata to ‘fail closed’ so no data is passed l think it
> will do this if it’s configured inline in IPS mode.  In IDS mode you could
> always uses a monitoring tool to run a script to shutdown an interface if
> the suricata process is not running.
> >
> >
> >
> > -Coop
> >
> >
> >
> > From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org>
> > On Behalf Of kavi perumal
> > Sent: Sunday, November 18, 2018 9:40 PM
> > To: oisf-users at lists.openinfosecfoundation.org
> > Subject: [Oisf-users] Is is possible to restart suricata with zero
> > drops when suricata-IPS crashes
> >
> >
> >
> > Hi,
> >
> >
> >
> > When running suricata in IDS (or) IPS mode in data path, when there is a
> crash/failure in suricata, is it possible to restart suricata with zero
> packet drops?
> >
> >
> >
> > (or) any way to bypass the traffic until suricata gets restarted?
> >
> >
> >
> > Regards
> >
> > -Kavi Perumal G.
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support:
> > http://suricata-ids.org/support/
> > List:
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181120/fd4b3cf7/attachment-0001.html>

More information about the Oisf-users mailing list