[Oisf-users] Monitoring web and proxy server with suricata

carlopmart carlopmart at gmail.com
Mon Mar 28 08:47:32 UTC 2011

On 03/28/2011 10:38 AM, Victor Julien wrote:

>> appears access to my web servers like in apache access.log does:
>> practically is the same info. Is this right?? How can I prevent suricata
>> register the same info that apache does and store only http alarms related??
> Just disable http.log in your suricata.yaml and enable fast.log.

Ok, thanks.

>>    And another question is: how can I monitor my proxy servers (squid)??
>> Using default emergingthreats rules I can't see what host makes the
>> requests to these proxys. Alarms only reflects my proxys as the origin
>> of all requests. How can I prevent this??
> Thats hard. Proxies generally set a Via or X-Forwarded-For header in the
> request containing the ip of the original sender. But I see a lot of
> request with forged headers, so I'd be hesitant to trust that. Currently
> in Suricata there is no way to extract that and log it.
> I guess the best solution would be to place suricata before the proxy
> instead of after.
>>    The only thing that occurred to me is to modify the rules and add two
>> new variables: $PROXY_SERVERS and $PROXY_PORTS. Then, I have
>> added/modified rules like this:
>>    "tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS" by "tcp $HOME_NET any
>>    Is this correct?? If that is correct, how do I define $HOME_NET if I
>> just want to monitor the proxy servers??
> I'm not sure how that would help anything. Using such variables only
> limits the number of ip's the rules are checked against. However if all
> requests are coming from the proxy anyway nothing will change.

Uhmm I see .. Then, the solution could be to configure suricata in 
inline mode in the same host that I have installed squid and put squid 
server in transparent mode and define only squid proxy servers's IPs as 

CL Martinez
carlopmart {at} gmail {d0t} com

More information about the Oisf-users mailing list