[Oisf-users] Hello and question about setting up Suricata as a Web Application IDS

Michiel van Es mve at pcintelligence.nl
Thu Mar 24 10:34:22 UTC 2011

 On Thu, 24 Mar 2011 10:30:38 +0000, Chris Wakelin wrote:
> On 24/03/11 10:19, Michiel van Es wrote:
>>  Hi,
>>  I am pretty new to Snort/Suricata and WAF's.
>>  I have set up Snort with some rules (web-attacks.rules) with some
>>  simple custom rules to detect XSS and SQL Injection:
>>  My goal is to setup Suricata as a replacement of snort and it only
>>  should detect XSS and SQL injection attacks, I don't bother about 
>> all
>>  other rules/alerts (like portscans etc.).
> ...
>>  I just want Suricata to detect and log/alert me about these 
>> attacks.
>>  I use Ubuntu 10.10 (Maverick) 64 bit with the Suricata package from 
>> its
>>  repo:
>>  root at vps500:/etc/snort/rules# dpkg -l | grep suricata
>>  ii  suricata                         1.0.1-1
>>                Next Generation Intrusion Detection and Prevention 
>> Tool
>>  Suricata is running on the same machine that is running the 
>> webserver
>>  and its applications.
> You may well find that using a Web-Application Firewall such as
> ModSecurity for Apache (also free and open-source) is a better fit.
> Running as part of Apache means it also works for SSL-enabled sites.
> There is a free core ruleset that will catch most SQL-injection and 
> attempts and a lot of other badness. You can also tweak the rules 
> within
> "Directory" or "Location" sections to cope with oddities in 
> individual
> web-apps.

 Hi Chris,

 Thanks for your reply.
 'Sadly' I am running Nginx instead of Apache and its Slowloris debacle 
 There isn't a mod_security for Nginx and I am rahter looking for 
 something that does not care about the product behind it but just 
 filters and detect patterns in HTTP requests.
 That is why I choose for Snort/Suricata. :)
> Best Wishes,
> Chris



More information about the Oisf-users mailing list