[Oisf-users] Suricata as an IPS
Andreas Herz
aherz at oisf.net
Thu Dec 19 20:29:58 UTC 2019
Hi Charles,
On 19/11/19 at 14:18, Charles Devoe wrote:
> There is a bit of a debate going on here as to whether Suricata has to be inline to work in IPS mode.
>
> The confusion is coming from this
>
> Reject
> This is an active rejection of the packet. Both receiver and sender receive a reject packet. There are two types of reject packets that will be automatically selected. If the offending packet concerns TCP, it will be a Reset-packet. For all other protocols it will be an ICMP-error packet. Suricata also generates an alert. When in Inline/IPS mode, the offending packet will also be dropped like with the 'drop' action.
>
>
> Some are reading this as we can monitor on one interface and send out the reject over a management interface. In essence we would receive traffic via a tap or SPAN/Mirror port and send it back out over a management port.
>
> So the bottom line here : Is it possible to run Suricata as an IPS without being in line.
This ended up in a discussion for me as well within the team. So could
you create an issue for that in redmine?
We really need to improve the documentation for that part.
Thanks
--
Andreas Herz
More information about the Oisf-users
mailing list