[Oisf-users] Hello and question about setting up Suricata as a Web Application IDS
Michiel van Es
mve at pcintelligence.nl
Thu Mar 24 13:04:05 UTC 2011
On Thu, 24 Mar 2011 12:27:02 +0100, Victor Julien wrote:
> On 03/24/2011 11:34 AM, Michiel van Es wrote:
>> On Thu, 24 Mar 2011 10:30:38 +0000, Chris Wakelin wrote:
>>> On 24/03/11 10:19, Michiel van Es wrote:
>>>> Hi,
>>>>
>>>> I am pretty new to Snort/Suricata and WAF's.
>>>> I have set up Snort with some rules (web-attacks.rules) with some
>>>> simple custom rules to detect XSS and SQL Injection:
>>>> My goal is to setup Suricata as a replacement of snort and it
>>>> only
>>>> should detect XSS and SQL injection attacks, I don't bother about
>>>> all
>>>> other rules/alerts (like portscans etc.).
>>>
>>> ...
>>>
>>>>
>>>> I just want Suricata to detect and log/alert me about these
>>>> attacks.
>>>> I use Ubuntu 10.10 (Maverick) 64 bit with the Suricata package
>>>> from
>>>> its
>>>> repo:
>>>> root at vps500:/etc/snort/rules# dpkg -l | grep suricata
>>>> ii suricata 1.0.1-1
>>>> Next Generation Intrusion Detection and Prevention
>
> May I suggest installing from source. Preferably the latest GIT code.
>
>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_from_GIT
>
> Or else at least 1.0.2:
>
>
> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation
>
> Btw, since you are using Ubuntu there are at least 2 ppa's available
> that provide more up 2 date builds:
>
> https://launchpad.net/~honeynet/+archive/nightly
> https://launchpad.net/~ebf0/+archive/gamelinux/
Hi Victor,
I tried the PPA and the source 1.0.2 version but I am not receiving
http requests in the /var/log/suricata/http.log logfile anymore..
suricata.yaml:
# a line based log of HTTP requests (no alerts)
- http-log:
enabled: yes
filename: http.log
libhtp:
default-config:
personality: IDS
server-config:
- apache:
address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
personality: Apache_2_2
- iis7:
address:
- 192.168.0.0/24
- 192.168.10.0/24
personality: IIS_7_0
HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
EXTERNAL_NET: any
HTTP_SERVERS: "$HOME_NET"
SMTP_SERVERS: "$HOME_NET"
SQL_SERVERS: "$HOME_NET"
DNS_SERVERS: "$HOME_NET"
TELNET_SERVERS: "$HOME_NET"
AIM_SERVERS: any
# Holds the port group vars that would be passed in a Signature.
# These would be retrieved during the Signature port parsing stage.
port-groups:
HTTP_PORTS: "80"
SHELLCODE_PORTS: "!80"
ORACLE_PORTS: 1521
SSH_PORTS: 22
suricata --dump-config /etc/suricata/suricata/yaml:
libhtp = (null)
libhtp.default-config = (null)
libhtp.default-config.personality = IDS
libhtp.server-config = (null)
libhtp.server-config.0 = apache
libhtp.server-config.0.apache = (null)
libhtp.server-config.0.apache.address = (null)
libhtp.server-config.0.apache.address.0 = 192.168.1.0/24
libhtp.server-config.0.apache.address.1 = 127.0.0.0/8
libhtp.server-config.0.apache.address.2 = ::1
libhtp.server-config.0.apache.personality = Apache_2_2
libhtp.server-config.1 = iis7
libhtp.server-config.1.iis7 = (null)
libhtp.server-config.1.iis7.address = (null)
libhtp.server-config.1.iis7.address.0 = 192.168.0.0/24
libhtp.server-config.1.iis7.address.1 = 192.168.10.0/24
libhtp.server-config.1.iis7.personality = IIS_7_0
profiling = (null)
profiling.rules = (null)
profiling.rules.enabled = yes
profiling.rules.sort = avgticks
profiling.rules.limit = 100
The box is running on a public ip so the local network range isn't
being used.
I am running Nginx and it is running on port 80, it worked with the
Ubuntu 1.0.1 version but now with the PPA or the 1.0.2 source it does
not log anymore.
What am I overseeing?
>
> Cheers,
> Victor
Regards,
Michiel
More information about the Oisf-users
mailing list