[Oisf-users] Hello and question about setting up Suricata as a Web Application IDS
Michiel van Es
mve at pcintelligence.nl
Thu Mar 24 10:34:22 UTC 2011
On Thu, 24 Mar 2011 10:30:38 +0000, Chris Wakelin wrote:
> On 24/03/11 10:19, Michiel van Es wrote:
>> Hi,
>>
>> I am pretty new to Snort/Suricata and WAF's.
>> I have set up Snort with some rules (web-attacks.rules) with some
>> simple custom rules to detect XSS and SQL Injection:
>> My goal is to setup Suricata as a replacement of snort and it only
>> should detect XSS and SQL injection attacks, I don't bother about
>> all
>> other rules/alerts (like portscans etc.).
>
> ...
>
>>
>> I just want Suricata to detect and log/alert me about these
>> attacks.
>> I use Ubuntu 10.10 (Maverick) 64 bit with the Suricata package from
>> its
>> repo:
>> root at vps500:/etc/snort/rules# dpkg -l | grep suricata
>> ii suricata 1.0.1-1
>> Next Generation Intrusion Detection and Prevention
>> Tool
>>
>> Suricata is running on the same machine that is running the
>> webserver
>> and its applications.
>
> You may well find that using a Web-Application Firewall such as
> ModSecurity for Apache (also free and open-source) is a better fit.
> Running as part of Apache means it also works for SSL-enabled sites.
> There is a free core ruleset that will catch most SQL-injection and
> XSS
> attempts and a lot of other badness. You can also tweak the rules
> within
> "Directory" or "Location" sections to cope with oddities in
> individual
> web-apps.
Hi Chris,
Thanks for your reply.
'Sadly' I am running Nginx instead of Apache and its Slowloris debacle
(http://ha.ckers.org/slowloris/).
There isn't a mod_security for Nginx and I am rahter looking for
something that does not care about the product behind it but just
filters and detect patterns in HTTP requests.
That is why I choose for Snort/Suricata. :)
>
> Best Wishes,
> Chris
Regards,
Michiel
More information about the Oisf-users
mailing list