[Oisf-users] Monitoring web and proxy server with suricata
carlopmart
carlopmart at gmail.com
Mon Mar 28 08:23:08 UTC 2011
Hi all,
I am trying to monitor my proxy and web servers with a suricata
sensor. For the other monitor tasks, I am using snort.
If I am not wrong, suricata stores http accesss (and I supose alarms
too) in the http.log file, correct??. Actually, in this file only
appears access to my web servers like in apache access.log does:
practically is the same info. Is this right?? How can I prevent suricata
register the same info that apache does and store only http alarms related??
And another question is: how can I monitor my proxy servers (squid)??
Using default emergingthreats rules I can't see what host makes the
requests to these proxys. Alarms only reflects my proxys as the origin
of all requests. How can I prevent this??
The only thing that occurred to me is to modify the rules and add two
new variables: $PROXY_SERVERS and $PROXY_PORTS. Then, I have
added/modified rules like this:
"tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS" by "tcp $HOME_NET any
-> $PROXY_SERVERS $PROXY_PORTS"
Is this correct?? If that is correct, how do I define $HOME_NET if I
just want to monitor the proxy servers??
Many thanks for your help.
--
CL Martinez
carlopmart {at} gmail {d0t} com
More information about the Oisf-users
mailing list