[Oisf-users] Monitoring web and proxy server with suricata

carlopmart carlopmart at gmail.com
Mon Mar 28 08:23:08 UTC 2011

Hi all,

  I am trying to monitor my proxy and web servers with a suricata 
sensor. For the other monitor tasks, I am using snort.

  If I am not wrong, suricata stores http accesss (and I supose alarms 
too) in the http.log file, correct??. Actually, in this file only 
appears access to my web servers like in apache access.log does: 
practically is the same info. Is this right?? How can I prevent suricata 
register the same info that apache does and store only http alarms related??

  And another question is: how can I monitor my proxy servers (squid)?? 
Using default emergingthreats rules I can't see what host makes the 
requests to these proxys. Alarms only reflects my proxys as the origin 
of all requests. How can I prevent this??

  The only thing that occurred to me is to modify the rules and add two 
new variables: $PROXY_SERVERS and $PROXY_PORTS. Then, I have 
added/modified rules like this:

  "tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS" by "tcp $HOME_NET any 

  Is this correct?? If that is correct, how do I define $HOME_NET if I 
just want to monitor the proxy servers??

Many thanks for your help.

CL Martinez
carlopmart {at} gmail {d0t} com

More information about the Oisf-users mailing list