[Oisf-users] Hello and question about setting up Suricata as a Web Application IDS
Michiel van Es
mve at pcintelligence.nl
Thu Mar 24 10:19:08 UTC 2011
Hi,
I am pretty new to Snort/Suricata and WAF's.
I have set up Snort with some rules (web-attacks.rules) with some
simple custom rules to detect XSS and SQL Injection:
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL
Injection - Paranoid";
flow:to_server,established;uricontent:".pl";pcre:"/(\%27)|(\')|(\-\-)|(%23)|(#)/i";
classtype:Web-application-attack; sid:9099; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"NII
Cross-site scripting attempt"; flow:to_server,established;
pcre:"/((\%3C)|<)((\%2F)|\/)*[a-z0-9\%]+((\%3E)|>)/i";
classtype:Web-application-attack; sid:9000; rev:5;)
My goal is to setup Suricata as a replacement of snort and it only
should detect XSS and SQL injection attacks, I don't bother about all
other rules/alerts (like portscans etc.).
I just want Suricata to detect and log/alert me about these attacks.
I use Ubuntu 10.10 (Maverick) 64 bit with the Suricata package from its
repo:
root at vps500:/etc/snort/rules# dpkg -l | grep suricata
ii suricata 1.0.1-1
Next Generation Intrusion Detection and Prevention Tool
Suricata is running on the same machine that is running the webserver
and its applications.
My Question:
What is the quickest way to copy my snort config or start with a new
config that only does web application detection and alerting?
Should I copy/use the /etc/snort/rules/web-*.rules and nothing else?
Is someone already using this kind of IDS/WA(F) setup to monitor their
web applications?
Also, I found out that Suricata is using 24% of my total physical
memory (2 GB) when running with the default suricata-debian.yaml config
, can I reduce that amount of memory usage?
Thanks in advance for any help and sorry for the amount of newbie
questions :)
Regards and keep up the good work!
Michiel
More information about the Oisf-users
mailing list