<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div dir="ltr"></div><div dir="ltr">:me agrees with the architecture presented by Cooper!</div><div dir="ltr"><br></div><div dir="ltr">There are way better, dedicated tools to do the job. Nginx with Lua as a WAF, or mod_security.</div><div dir="ltr"><br></div><div dir="ltr">It has nothing to do with Suricata itself, it’s just about how powerful the architecture is, when sandwiched this way.</div><div dir="ltr"><br>On Dec 5, 2018, at 9:12 PM, Cooper F. Nelson <<a href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a>> wrote:<br><br></div><blockquote type="cite"><div dir="ltr">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<p>This is just my opinion, but I'm a fan of 'defense-in-depth', so
my general model is to put your 'active' security controls in
first (like a WAF); then use suricata to monitor how well they are
working.</p>
<p>So I would use NGINX as a reverse-proxy/SSL terminator and the
put something like Apache with mod_security behind it, with
suricata monitoring the decrypted traffic. Do one thing and do it
well.</p>
<p>In general I do not like the 'IPS' model given how common
false-positives are, combined with a simple core belief that we
should be building robust software stacks, systems and networks
vs. putting digital duct-tape on the wire. That strikes me as
simple sloppy engineering. <br>
</p>
<p>-Coop<br>
</p>
<div class="moz-cite-prefix">On 12/5/2018 8:47 AM, Charles Devoe
wrote:<br>
</div>
<blockquote type="cite" cite="mid:F0A8EAB20003E54A9FB4FF72B5649B4B028529D1E6@CISEXCHANGE1.msisac.org.local"><span style="font-size:12.0pt;font-family:"Times New
Roman",serif">Is theer a reason why Suricat could not be
used as a WAF? Peronally, it seems ot me that If I can use the
same tool to accomplish two things I will be further ahead as I
won’t have to learn another tool.</span></blockquote>
<pre class="moz-signature" cols="72">--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
<a class="moz-txt-link-abbreviated" href="mailto:cnelson@ucsd.edu">cnelson@ucsd.edu</a> x41042</pre>
</div></blockquote><blockquote type="cite"><div dir="ltr"><span>_______________________________________________</span><br><span>Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a></span><br><span>Site: <a href="http://suricata-ids.org">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/">http://suricata-ids.org/support/</a></span><br><span>List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a></span><br><span></span><br><span>Conference: <a href="https://suricon.net">https://suricon.net</a></span><br><span>Trainings: <a href="https://suricata-ids.org/training/">https://suricata-ids.org/training/</a></span></div></blockquote></body></html>