[Oisf-users] Monitoring web and proxy server with suricata

Victor Julien victor at inliniac.net
Wed Mar 30 12:36:00 UTC 2011

On 03/30/2011 02:21 PM, carlopmart wrote:
> On 03/28/2011 05:07 PM, carlopmart wrote:
>> On 03/28/2011 10:47 AM, carlopmart wrote:
>>> On 03/28/2011 10:38 AM, Victor Julien wrote:
>>>>> appears access to my web servers like in apache access.log does:
>>>>> practically is the same info. Is this right?? How can I prevent
>>>>> suricata
>>>>> register the same info that apache does and store only http alarms
>>>>> related??
>>>> Just disable http.log in your suricata.yaml and enable fast.log.
>>> Ok, thanks.
>>>>> And another question is: how can I monitor my proxy servers (squid)??
>>>>> Using default emergingthreats rules I can't see what host makes the
>>>>> requests to these proxys. Alarms only reflects my proxys as the origin
>>>>> of all requests. How can I prevent this??
>>>> Thats hard. Proxies generally set a Via or X-Forwarded-For header in the
>>>> request containing the ip of the original sender. But I see a lot of
>>>> request with forged headers, so I'd be hesitant to trust that. Currently
>>>> in Suricata there is no way to extract that and log it.
>>>> I guess the best solution would be to place suricata before the proxy
>>>> instead of after.
>>>>> The only thing that occurred to me is to modify the rules and add two
>>>>> new variables: $PROXY_SERVERS and $PROXY_PORTS. Then, I have
>>>>> added/modified rules like this:
>>>>> "tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS" by "tcp $HOME_NET any
>>>>> Is this correct?? If that is correct, how do I define $HOME_NET if I
>>>>> just want to monitor the proxy servers??
>>>> I'm not sure how that would help anything. Using such variables only
>>>> limits the number of ip's the rules are checked against. However if all
>>>> requests are coming from the proxy anyway nothing will change.
>>> Uhmm I see .. Then, the solution could be to configure suricata in
>>> inline mode in the same host that I have installed squid and put squid
>>> server in transparent mode and define only squid proxy servers's IPs as
>>> a $HOME_NET??

I think this should be able to work. Don't think it's needed to run
inline though, as long as you just make sure Suricata sees the traffic
before the proxy gets to it.

Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list