[Oisf-users] Hello and question about setting up Suricata as a Web Application IDS

Michiel van Es mve at pcintelligence.nl
Thu Mar 24 10:19:08 UTC 2011


 I am pretty new to Snort/Suricata and WAF's.
 I have set up Snort with some rules (web-attacks.rules) with some 
 simple custom rules to detect XSS and SQL Injection:

 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL 
 Injection - Paranoid"; 
 classtype:Web-application-attack; sid:9099; rev:5;)
 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"NII 
 Cross-site scripting attempt"; flow:to_server,established; 
 classtype:Web-application-attack; sid:9000; rev:5;)

 My goal is to setup Suricata as a replacement of snort and it only 
 should detect XSS and SQL injection attacks, I don't bother about all 
 other rules/alerts (like portscans etc.).

 I just want Suricata to detect and log/alert me about these attacks.
 I use Ubuntu 10.10 (Maverick) 64 bit with the Suricata package from its 
 root at vps500:/etc/snort/rules# dpkg -l | grep suricata
 ii  suricata                         1.0.1-1                            
               Next Generation Intrusion Detection and Prevention Tool

 Suricata is running on the same machine that is running the webserver 
 and its applications.

 My Question:

 What is the quickest way to copy my snort config or start with a new 
 config that only does web application detection and alerting?
 Should I copy/use the /etc/snort/rules/web-*.rules and nothing else?
 Is someone already using this kind of IDS/WA(F) setup to monitor their 
 web applications?

 Also, I found out that Suricata is using 24% of my total physical 
 memory (2 GB) when running with the default suricata-debian.yaml config 
 , can I reduce that amount of memory usage?

 Thanks in advance for any help and sorry for the amount of newbie 
 questions :)

 Regards and keep up the good work!


More information about the Oisf-users mailing list