[Oisf-users] Hello and question about setting up Suricata as a Web Application IDS

Chris Wakelin c.d.wakelin at reading.ac.uk
Thu Mar 24 10:30:38 UTC 2011

On 24/03/11 10:19, Michiel van Es wrote:
>  Hi,
>  I am pretty new to Snort/Suricata and WAF's.
>  I have set up Snort with some rules (web-attacks.rules) with some 
>  simple custom rules to detect XSS and SQL Injection:
>  My goal is to setup Suricata as a replacement of snort and it only 
>  should detect XSS and SQL injection attacks, I don't bother about all 
>  other rules/alerts (like portscans etc.).


>  I just want Suricata to detect and log/alert me about these attacks.
>  I use Ubuntu 10.10 (Maverick) 64 bit with the Suricata package from its 
>  repo:
>  root at vps500:/etc/snort/rules# dpkg -l | grep suricata
>  ii  suricata                         1.0.1-1                            
>                Next Generation Intrusion Detection and Prevention Tool
>  Suricata is running on the same machine that is running the webserver 
>  and its applications.

You may well find that using a Web-Application Firewall such as
ModSecurity for Apache (also free and open-source) is a better fit.
Running as part of Apache means it also works for SSL-enabled sites.
There is a free core ruleset that will catch most SQL-injection and XSS
attempts and a lot of other badness. You can also tweak the rules within
"Directory" or "Location" sections to cope with oddities in individual

Best Wishes,

Christopher Wakelin,                           c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading,  Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 6AF, UK              Fax: +44 (0)118 975 3094

More information about the Oisf-users mailing list