[Oisf-users] Monitoring web and proxy server with suricata

[carlopmart]

On 03/28/2011 10:38 AM, Victor Julien wrote:

>
>> appears access to my web servers like in apache access.log does:
>> practically is the same info. Is this right?? How can I prevent suricata
>> register the same info that apache does and store only http alarms related??
>
> Just disable http.log in your suricata.yaml and enable fast.log.

Ok, thanks.

>
>>    And another question is: how can I monitor my proxy servers (squid)??
>> Using default emergingthreats rules I can't see what host makes the
>> requests to these proxys. Alarms only reflects my proxys as the origin
>> of all requests. How can I prevent this??
>
> Thats hard. Proxies generally set a Via or X-Forwarded-For header in the
> request containing the ip of the original sender. But I see a lot of
> request with forged headers, so I'd be hesitant to trust that. Currently
> in Suricata there is no way to extract that and log it.
>
> I guess the best solution would be to place suricata before the proxy
> instead of after.
>
>>    The only thing that occurred to me is to modify the rules and add two
>> new variables: $PROXY_SERVERS and $PROXY_PORTS. Then, I have
>> added/modified rules like this:
>>
>>    "tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS" by "tcp $HOME_NET any
>> ->  $PROXY_SERVERS $PROXY_PORTS"
>>
>>    Is this correct?? If that is correct, how do I define $HOME_NET if I
>> just want to monitor the proxy servers??
>
> I'm not sure how that would help anything. Using such variables only
> limits the number of ip's the rules are checked against. However if all
> requests are coming from the proxy anyway nothing will change.
>

Uhmm I see .. Then, the solution could be to configure suricata in 
inline mode in the same host that I have installed squid and put squid 
server in transparent mode and define only squid proxy servers's IPs as 
a $HOME_NET??



-- 
CL Martinez
carlopmart {at} gmail {d0t} com