[Oisf-users] Monitoring web and proxy server with suricata

carlopmart carlopmart at gmail.com
Wed Mar 30 12:41:08 UTC 2011

On 03/30/2011 02:36 PM, Victor Julien wrote:
> On 03/30/2011 02:21 PM, carlopmart wrote:
>> On 03/28/2011 05:07 PM, carlopmart wrote:
>>> On 03/28/2011 10:47 AM, carlopmart wrote:
>>>> On 03/28/2011 10:38 AM, Victor Julien wrote:
>>>>>> appears access to my web servers like in apache access.log does:
>>>>>> practically is the same info. Is this right?? How can I prevent
>>>>>> suricata
>>>>>> register the same info that apache does and store only http alarms
>>>>>> related??
>>>>> Just disable http.log in your suricata.yaml and enable fast.log.
>>>> Ok, thanks.
>>>>>> And another question is: how can I monitor my proxy servers (squid)??
>>>>>> Using default emergingthreats rules I can't see what host makes the
>>>>>> requests to these proxys. Alarms only reflects my proxys as the origin
>>>>>> of all requests. How can I prevent this??
>>>>> Thats hard. Proxies generally set a Via or X-Forwarded-For header in the
>>>>> request containing the ip of the original sender. But I see a lot of
>>>>> request with forged headers, so I'd be hesitant to trust that. Currently
>>>>> in Suricata there is no way to extract that and log it.
>>>>> I guess the best solution would be to place suricata before the proxy
>>>>> instead of after.
>>>>>> The only thing that occurred to me is to modify the rules and add two
>>>>>> new variables: $PROXY_SERVERS and $PROXY_PORTS. Then, I have
>>>>>> added/modified rules like this:
>>>>>> "tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS" by "tcp $HOME_NET any
>>>>>> Is this correct?? If that is correct, how do I define $HOME_NET if I
>>>>>> just want to monitor the proxy servers??
>>>>> I'm not sure how that would help anything. Using such variables only
>>>>> limits the number of ip's the rules are checked against. However if all
>>>>> requests are coming from the proxy anyway nothing will change.
>>>> Uhmm I see .. Then, the solution could be to configure suricata in
>>>> inline mode in the same host that I have installed squid and put squid
>>>> server in transparent mode and define only squid proxy servers's IPs as
>>>> a $HOME_NET??
> I think this should be able to work. Don't think it's needed to run
> inline though, as long as you just make sure Suricata sees the traffic
> before the proxy gets to it.

Many thanks Victor. I will try it as soon as possible.

CL Martinez
carlopmart {at} gmail {d0t} com

More information about the Oisf-users mailing list