[Oisf-users] Hello and question about setting up Suricata as a Web Application IDS
Chris Wakelin
c.d.wakelin at reading.ac.uk
Thu Mar 24 10:30:38 UTC 2011
On 24/03/11 10:19, Michiel van Es wrote:
> Hi,
>
> I am pretty new to Snort/Suricata and WAF's.
> I have set up Snort with some rules (web-attacks.rules) with some
> simple custom rules to detect XSS and SQL Injection:
> My goal is to setup Suricata as a replacement of snort and it only
> should detect XSS and SQL injection attacks, I don't bother about all
> other rules/alerts (like portscans etc.).
...
>
> I just want Suricata to detect and log/alert me about these attacks.
> I use Ubuntu 10.10 (Maverick) 64 bit with the Suricata package from its
> repo:
> root at vps500:/etc/snort/rules# dpkg -l | grep suricata
> ii suricata 1.0.1-1
> Next Generation Intrusion Detection and Prevention Tool
>
> Suricata is running on the same machine that is running the webserver
> and its applications.
You may well find that using a Web-Application Firewall such as
ModSecurity for Apache (also free and open-source) is a better fit.
Running as part of Apache means it also works for SSL-enabled sites.
There is a free core ruleset that will catch most SQL-injection and XSS
attempts and a lot of other badness. You can also tweak the rules within
"Directory" or "Location" sections to cope with oddities in individual
web-apps.
Best Wishes,
Chris
--
--+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+---+-
Christopher Wakelin, c.d.wakelin at reading.ac.uk
IT Services Centre, The University of Reading, Tel: +44 (0)118 378 8439
Whiteknights, Reading, RG6 6AF, UK Fax: +44 (0)118 975 3094
More information about the Oisf-users
mailing list