[Oisf-users] Monitoring web and proxy server with suricata

carlopmart carlopmart at gmail.com
Wed Mar 30 12:21:17 UTC 2011 

On 03/28/2011 05:07 PM, carlopmart wrote:
> On 03/28/2011 10:47 AM, carlopmart wrote:
>> On 03/28/2011 10:38 AM, Victor Julien wrote:
>>
>>>
>>>> appears access to my web servers like in apache access.log does:
>>>> practically is the same info. Is this right?? How can I prevent
>>>> suricata
>>>> register the same info that apache does and store only http alarms
>>>> related??
>>>
>>> Just disable http.log in your suricata.yaml and enable fast.log.
>>
>> Ok, thanks.
>>
>>>
>>>> And another question is: how can I monitor my proxy servers (squid)??
>>>> Using default emergingthreats rules I can't see what host makes the
>>>> requests to these proxys. Alarms only reflects my proxys as the origin
>>>> of all requests. How can I prevent this??
>>>
>>> Thats hard. Proxies generally set a Via or X-Forwarded-For header in the
>>> request containing the ip of the original sender. But I see a lot of
>>> request with forged headers, so I'd be hesitant to trust that. Currently
>>> in Suricata there is no way to extract that and log it.
>>>
>>> I guess the best solution would be to place suricata before the proxy
>>> instead of after.
>>>
>>>> The only thing that occurred to me is to modify the rules and add two
>>>> new variables: $PROXY_SERVERS and $PROXY_PORTS. Then, I have
>>>> added/modified rules like this:
>>>>
>>>> "tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS" by "tcp $HOME_NET any
>>>> -> $PROXY_SERVERS $PROXY_PORTS"
>>>>
>>>> Is this correct?? If that is correct, how do I define $HOME_NET if I
>>>> just want to monitor the proxy servers??
>>>
>>> I'm not sure how that would help anything. Using such variables only
>>> limits the number of ip's the rules are checked against. However if all
>>> requests are coming from the proxy anyway nothing will change.
>>>
>>
>> Uhmm I see .. Then, the solution could be to configure suricata in
>> inline mode in the same host that I have installed squid and put squid
>> server in transparent mode and define only squid proxy servers's IPs as
>> a $HOME_NET??
>>
>>
>>
>
> Is this the correct solution??
>
> Thanks.
>

Nothing??

-- 
CL Martinez
carlopmart {at} gmail {d0t} com

More information about the Oisf-users mailing list