[Oisf-users] Monitoring web and proxy server with suricata

carlopmart carlopmart at gmail.com
Mon Mar 28 15:07:09 UTC 2011 

On 03/28/2011 10:47 AM, carlopmart wrote:
> On 03/28/2011 10:38 AM, Victor Julien wrote:
>
>>
>>> appears access to my web servers like in apache access.log does:
>>> practically is the same info. Is this right?? How can I prevent suricata
>>> register the same info that apache does and store only http alarms
>>> related??
>>
>> Just disable http.log in your suricata.yaml and enable fast.log.
>
> Ok, thanks.
>
>>
>>> And another question is: how can I monitor my proxy servers (squid)??
>>> Using default emergingthreats rules I can't see what host makes the
>>> requests to these proxys. Alarms only reflects my proxys as the origin
>>> of all requests. How can I prevent this??
>>
>> Thats hard. Proxies generally set a Via or X-Forwarded-For header in the
>> request containing the ip of the original sender. But I see a lot of
>> request with forged headers, so I'd be hesitant to trust that. Currently
>> in Suricata there is no way to extract that and log it.
>>
>> I guess the best solution would be to place suricata before the proxy
>> instead of after.
>>
>>> The only thing that occurred to me is to modify the rules and add two
>>> new variables: $PROXY_SERVERS and $PROXY_PORTS. Then, I have
>>> added/modified rules like this:
>>>
>>> "tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS" by "tcp $HOME_NET any
>>> -> $PROXY_SERVERS $PROXY_PORTS"
>>>
>>> Is this correct?? If that is correct, how do I define $HOME_NET if I
>>> just want to monitor the proxy servers??
>>
>> I'm not sure how that would help anything. Using such variables only
>> limits the number of ip's the rules are checked against. However if all
>> requests are coming from the proxy anyway nothing will change.
>>
>
> Uhmm I see .. Then, the solution could be to configure suricata in
> inline mode in the same host that I have installed squid and put squid
> server in transparent mode and define only squid proxy servers's IPs as
> a $HOME_NET??
>
>
>

Is this the correct solution??

Thanks.

-- 
CL Martinez
carlopmart {at} gmail {d0t} com

More information about the Oisf-users mailing list