[Oisf-users] Is is possible to restart suricata with zero drops when suricata-IPS crashes

David Wharton oisf at davidwharton.us
Tue Nov 20 05:12:17 UTC 2018 

A process isn't going to be able to resurrect itself if it dies 
unexpectedly so you'll need an external monitoring solution.  This could 
be a simple bash script that is run by cron every minute (assuming 60 
isn't too long to be down) that checks if the suricata process is 
running and starts it if it isn't.  Or you could go with an arguably 
more robust and full-featured option; something like Monit 
(https://mmonit.com/monit/), supervisord (http://supervisord.org/), or 
one of the other similar solutions out there.

-David

On 11/19/18 11:26 PM, kavi perumal wrote:
> Hi All,
>
> Thanks for comments.
>
>
>       Nelson, Cooper, Michał Purzyński, Actually my requirement is to
>       allow all traffic incase suricata is down. i don't want to drop
>       packets.
>
> @Nelson, Cooper: is there any configuration to configure suricata to 
> restart by itself incase of failure with in a specific time?
>
> Regards
> -Kavi Perumal G.
>
> On Tue, Nov 20, 2018 at 5:02 AM Nelson, Cooper <cnelson at ucsd.edu 
> <mailto:cnelson at ucsd.edu>> wrote:
>
>     That's actually a great idea and easy to do with a switched tap
>     like an Arista.
>
>     TBH *everyone* should be doing that anyway for redundancy, we just
>     can't afford it currently.
>
>     -Coop
>
>     -----Original Message-----
>     From: Michał Purzyński <michalpurzynski1 at gmail.com
>     <mailto:michalpurzynski1 at gmail.com>>
>     Sent: Monday, November 19, 2018 1:55 PM
>     To: Nelson, Cooper <cnelson at ucsd.edu <mailto:cnelson at ucsd.edu>>
>     Cc: kaviperumal22 at gmail.com <mailto:kaviperumal22 at gmail.com>; Open
>     Information Security Foundation
>     <oisf-users at lists.openinfosecfoundation.org
>     <mailto:oisf-users at lists.openinfosecfoundation.org>>
>     Subject: Re: [Oisf-users] Is is possible to restart suricata with
>     zero drops when suricata-IPS crashes
>
>     That's harder than it sounds and needs some architectural changes.
>
>     You could run two sensors in a fault-tolerant configuration and
>     have them monitor the same traffic and never restart them at the
>     same time, I guess.
>     There is a reason no IDS on the market can do it (unless run in
>     some kind of FT mode).
>
>     Or, like Cooper said, run IPS and do not forward packets when
>     Suricata is down.
>
>     Or just live with it.
>     On Mon, Nov 19, 2018 at 11:02 AM Nelson, Cooper <cnelson at ucsd.edu
>     <mailto:cnelson at ucsd.edu>> wrote:
>     >
>     > If you really wanted to do something like this I would suggest
>     spinning up an indexed full-packet capture solution (like moloch)
>     and then running suricata in off-line mode against the resulting
>     pcaps if it crashes.  Not an ideal solution but it will work.
>     >
>     >
>     >
>     > IF you want suricata to ‘fail closed’ so no data is passed l
>     think it will do this if it’s configured inline in IPS mode.  In
>     IDS mode you could always uses a monitoring tool to run a script
>     to shutdown an interface if the suricata process is not running.
>     >
>     >
>     >
>     > -Coop
>     >
>     >
>     >
>     > From: Oisf-users
>     <oisf-users-bounces at lists.openinfosecfoundation.org
>     <mailto:oisf-users-bounces at lists.openinfosecfoundation.org>>
>     > On Behalf Of kavi perumal
>     > Sent: Sunday, November 18, 2018 9:40 PM
>     > To: oisf-users at lists.openinfosecfoundation.org
>     <mailto:oisf-users at lists.openinfosecfoundation.org>
>     > Subject: [Oisf-users] Is is possible to restart suricata with zero
>     > drops when suricata-IPS crashes
>     >
>     >
>     >
>     > Hi,
>     >
>     >
>     >
>     > When running suricata in IDS (or) IPS mode in data path, when
>     there is a crash/failure in suricata, is it possible to restart
>     suricata with zero packet drops?
>     >
>     >
>     >
>     > (or) any way to bypass the traffic until suricata gets restarted?
>     >
>     >
>     >
>     > Regards
>     >
>     > -Kavi Perumal G.
>     >
>     > _______________________________________________
>     > Suricata IDS Users mailing list:
>     oisf-users at openinfosecfoundation.org
>     <mailto:oisf-users at openinfosecfoundation.org>
>     > Site: http://suricata-ids.org | Support:
>     > http://suricata-ids.org/support/
>     > List:
>     > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>     >
>     > Conference: https://suricon.net
>     > Trainings: https://suricata-ids.org/training/
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181120/5a9a1dc1/attachment.html>

More information about the Oisf-users mailing list