Our implementation of suricata is a little different. We've got one as IPS (just few rules) and second as IDS (all rules (block of rules) are switched on). In the log of IDS we determine which chains should be filtered and then we filter them one by one on IPS. The main thing is to not to cut of any of the customers (in our case).
---------- Původní zpráva ----------
Od: Tristan supersluether@gmail.com
Komu: tor-relays@lists.torproject.org
Datum: 6. 10. 2016 16:50:33
Předmět: Re: [tor-relays] Intrusion Prevention System Software - Snort or Suricata or no IPS at all
"
Suricata allows direct access via the Tor network, Snort's website gave me multiple failed Captchas before I could access anything. I'm going to do some further research before I even think about implementing anything.
How does one detect false positives when running an IPS? Do you just frequently check the alerts and change the rules when necessary?
On Thu, Oct 6, 2016 at 9:45 AM, Ralph Seichter <tor-relays-ml@horus-it.de (mailto:tor-relays-ml@horus-it.de)> wrote:
"On 06.10.16 16:24, oconor@email.cz(mailto:oconor@email.cz) wrote:
The subject of this thread is: Intrusion Prevention System Software -
Snort or Suricata
Fixed that for you. ;-)
If the only thing you wanted to say was, that you're against that,
we're probably done ;)
Stating that I oppose the idea of IPS as means of automatic censorship
of Tor exit nodes is part of the discussion.
-Ralph
______________________________ _________________
tor-relays mailing list
tor-relays@lists.torproject. org(mailto:tor-relays@lists.torproject.org)
https://lists.torproject.org/ cgi-bin/mailman/listinfo/tor- relays (https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays)
"