[Oisf-users] Monitoring web and proxy server with suricata

Victor Julien victor at inliniac.net
Mon Mar 28 08:38:21 UTC 2011 

On 03/28/2011 10:23 AM, carlopmart wrote:
> Hi all,
> 
>   I am trying to monitor my proxy and web servers with a suricata 
> sensor. For the other monitor tasks, I am using snort.
> 
>   If I am not wrong, suricata stores http accesss (and I supose alarms 
> too) in the http.log file, correct??. Actually, in this file only 

No, only requests are in http.log. Alerts are in fast.log or (depending
on your config) in other logs.

> appears access to my web servers like in apache access.log does: 
> practically is the same info. Is this right?? How can I prevent suricata 
> register the same info that apache does and store only http alarms related??

Just disable http.log in your suricata.yaml and enable fast.log.

>   And another question is: how can I monitor my proxy servers (squid)?? 
> Using default emergingthreats rules I can't see what host makes the 
> requests to these proxys. Alarms only reflects my proxys as the origin 
> of all requests. How can I prevent this??

Thats hard. Proxies generally set a Via or X-Forwarded-For header in the
request containing the ip of the original sender. But I see a lot of
request with forged headers, so I'd be hesitant to trust that. Currently
in Suricata there is no way to extract that and log it.

I guess the best solution would be to place suricata before the proxy
instead of after.

>   The only thing that occurred to me is to modify the rules and add two 
> new variables: $PROXY_SERVERS and $PROXY_PORTS. Then, I have 
> added/modified rules like this:
> 
>   "tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS" by "tcp $HOME_NET any 
> -> $PROXY_SERVERS $PROXY_PORTS"
> 
>   Is this correct?? If that is correct, how do I define $HOME_NET if I 
> just want to monitor the proxy servers??

I'm not sure how that would help anything. Using such variables only
limits the number of ip's the rules are checked against. However if all
requests are coming from the proxy anyway nothing will change.

Cheers,
Victor

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------

More information about the Oisf-users mailing list