SELKS in IPS / blocking mode

311 views
Skip to first unread message

michel...@gmail.com

unread,
Aug 21, 2016, 7:20:33 PM8/21/16
to SELKS
Hi Peter,

I read that Scirius will soon support configuring the rules in "block" mode. In terms of topology, will this require that the SELKS host is set in bridge mode (the traffic has to go through it) or can it be something like it can be on a monitor port and send disconnects to to the offending sessions.

I currently have mine in bridge mode, it creates a single point of failure (if the SELKS host goes down, no more Internet). I have seen the other setup on other firewalls, where the firewall is not directly in the path of the traffic, but actively kills sessions by sending TCP FINs faking the IP address of the offending host. In that case, if the SELKS host fails, the traffic is no longer protected but keeps flowing.

This is more a Suricata than a Scirius question, I'm trying to grab a better understanding of what the upcoming feature in Scirius will assume about the network topology and the Suricata configuration.

Thanks,
Michel.

Eric Leblond

unread,
Aug 22, 2016, 3:00:38 AM8/22/16
to michel...@gmail.com, SELKS
Hello Michel,

Both are possible (classic IPS and active response) on Suricata side. So once Scirius will have the support you will be able to use both mode.

BR,
--
Eric
 
Thanks,
Michel.

--
IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
Wiki: https://github.com/StamusNetworks/SELKS/wiki
GitHub: https://github.com/StamusNetworks/SELKS
Blog: https://www.stamus-networks.com/theblog/
Twitter: @StamusN
g+: Stamus Networks
---
You received this message because you are subscribed to the Google Groups "SELKS" group.
To unsubscribe from this group and stop receiving emails from it, send an email to selks+un...@googlegroups.com.
To post to this group, send email to se...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

michel...@gmail.com

unread,
Aug 22, 2016, 1:11:52 PM8/22/16
to SELKS, michel...@gmail.com
> Eric Leblond wrote:
> Both are possible (classic IPS and active response) on Suricata side. So once Scirius will have the support you will be able to use both mode.

Hi Eric,

When Scirius has the support, do you anticipate that any other component in the SELKS distro would go modify the suricata.yaml for this kind of thing ? In other words, is there going to be a SELKS front-end to Suricata for this thing ?

Thanks,
Michel.

Peter Manev

unread,
Aug 23, 2016, 3:22:49 AM8/23/16
to michel...@gmail.com, SELKS
Scirius would be the front end to modifying the rule set. For
suricata.yaml you would still need to adjust the interfaces config
accordingly.

>
> Thanks,
> Michel.
>
> --
> IRC: Let's talk about SELKS on Freenode IRC on the #SELKS channel
> Wiki: https://github.com/StamusNetworks/SELKS/wiki
> GitHub: https://github.com/StamusNetworks/SELKS
> Blog: https://www.stamus-networks.com/theblog/
> Twitter: @StamusN
> g+: Stamus Networks
> ---
> You received this message because you are subscribed to the Google Groups
> "SELKS" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to selks+un...@googlegroups.com.
> To post to this group, send email to se...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.



--
Regards,
Peter Manev
Reply all
Reply to author
Forward
0 new messages