[Oisf-users] Hello and question about setting up Suricata as a Web Application IDS

Victor Julien victor at inliniac.net
Thu Mar 24 13:25:57 UTC 2011 

On 03/24/2011 02:04 PM, Michiel van Es wrote:
> 
>  On Thu, 24 Mar 2011 12:27:02 +0100, Victor Julien wrote:
>> On 03/24/2011 11:34 AM, Michiel van Es wrote:
>>>  On Thu, 24 Mar 2011 10:30:38 +0000, Chris Wakelin wrote:
>>>> On 24/03/11 10:19, Michiel van Es wrote:
>>>>>  Hi,
>>>>>
>>>>>  I am pretty new to Snort/Suricata and WAF's.
>>>>>  I have set up Snort with some rules (web-attacks.rules) with some
>>>>>  simple custom rules to detect XSS and SQL Injection:
>>>>>  My goal is to setup Suricata as a replacement of snort and it 
>>>>> only
>>>>>  should detect XSS and SQL injection attacks, I don't bother about
>>>>> all
>>>>>  other rules/alerts (like portscans etc.).
>>>>
>>>> ...
>>>>
>>>>>
>>>>>  I just want Suricata to detect and log/alert me about these
>>>>> attacks.
>>>>>  I use Ubuntu 10.10 (Maverick) 64 bit with the Suricata package 
>>>>> from
>>>>> its
>>>>>  repo:
>>>>>  root at vps500:/etc/snort/rules# dpkg -l | grep suricata
>>>>>  ii  suricata                         1.0.1-1
>>>>>                Next Generation Intrusion Detection and Prevention
>>
>> May I suggest installing from source. Preferably the latest GIT code.
>>
>>
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Installation_from_GIT
>>
>> Or else at least 1.0.2:
>>
>>
>> https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Ubuntu_Installation
>>
>> Btw, since you are using Ubuntu there are at least 2 ppa's available
>> that provide more up 2 date builds:
>>
>> https://launchpad.net/~honeynet/+archive/nightly
>> https://launchpad.net/~ebf0/+archive/gamelinux/
> 
>  Hi Victor,
> 
>  I tried the PPA and the source 1.0.2 version but I am not receiving 
>  http requests in the /var/log/suricata/http.log logfile anymore..
> 
>  suricata.yaml:
>    # a line based log of HTTP requests (no alerts)
>    - http-log:
>        enabled: yes
>        filename: http.log
> 
> 
>  libhtp:
> 
>     default-config:
>       personality: IDS
> 
>     server-config:
> 
>       - apache:
>           address: [192.168.1.0/24, 127.0.0.0/8, "::1"]
>           personality: Apache_2_2
> 
>       - iis7:
>           address:
>             - 192.168.0.0/24
>             - 192.168.10.0/24
>           personality: IIS_7_0
> 
>      HOME_NET: "[192.168.0.0/16,10.0.0.0/8,172.16.0.0/12]"
> 
>      EXTERNAL_NET: any
> 
>      HTTP_SERVERS: "$HOME_NET"
> 
>      SMTP_SERVERS: "$HOME_NET"
> 
>      SQL_SERVERS: "$HOME_NET"
> 
>      DNS_SERVERS: "$HOME_NET"
> 
>      TELNET_SERVERS: "$HOME_NET"
> 
>      AIM_SERVERS: any
> 
>    # Holds the port group vars that would be passed in a Signature.
>    # These would be retrieved during the Signature port parsing stage.
>    port-groups:
> 
>      HTTP_PORTS: "80"
> 
>      SHELLCODE_PORTS: "!80"
> 
>      ORACLE_PORTS: 1521
> 
>      SSH_PORTS: 22
> 
>  suricata --dump-config /etc/suricata/suricata/yaml:
> 
>  libhtp = (null)
>  libhtp.default-config = (null)
>  libhtp.default-config.personality = IDS
>  libhtp.server-config = (null)
>  libhtp.server-config.0 = apache
>  libhtp.server-config.0.apache = (null)
>  libhtp.server-config.0.apache.address = (null)
>  libhtp.server-config.0.apache.address.0 = 192.168.1.0/24
>  libhtp.server-config.0.apache.address.1 = 127.0.0.0/8
>  libhtp.server-config.0.apache.address.2 = ::1
>  libhtp.server-config.0.apache.personality = Apache_2_2
>  libhtp.server-config.1 = iis7
>  libhtp.server-config.1.iis7 = (null)
>  libhtp.server-config.1.iis7.address = (null)
>  libhtp.server-config.1.iis7.address.0 = 192.168.0.0/24
>  libhtp.server-config.1.iis7.address.1 = 192.168.10.0/24
>  libhtp.server-config.1.iis7.personality = IIS_7_0
>  profiling = (null)
>  profiling.rules = (null)
>  profiling.rules.enabled = yes
>  profiling.rules.sort = avgticks
>  profiling.rules.limit = 100
> 
>  The box is running on a public ip so the local network range isn't 
>  being used.
> 
>  I am running Nginx and it is running on port 80, it worked with the 
>  Ubuntu 1.0.1 version but now with the PPA or the 1.0.2 source it does 
>  not log anymore.
> 
>  What am I overseeing?

Not sure actually, it should just work. Can you try with a pcap file to
make sure it's not something related to the network, our live pcap code,
etc?

Cheers,
Victor


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list