[Oisf-users] Protecting APIs
Anoop Saldanha
anoopsaldanha at gmail.com
Tue Aug 19 12:58:57 UTC 2014
On Tue, Aug 19, 2014 at 5:53 PM, Ray Counterman <raycounterman at gmail.com> wrote:
> In exposing APIs to clients over the Internet there is a different threat
> model as APIs are fundamentally different from Web sites and have an
> entirely unique risk profile that must be addressed. Can Suricata help
> protect against threats to APIs? Some examples are DoS; XML, SQL and Code
> injection; Cross-site Scripting (XSS), and others. Has anyone used Suricata
> to protect APIs?
>
>From where I see, it should come down to running it inline(needs to
be combined with active response for things like dos), or in active
response(response reject), and writing meaningful rules.
DoS: This can be tricky I suppose. I can see cases where this needs
direct support inside suricata, which it currently doesn't have. For
example if I wanted to prevent slow dos, I would expect suricata to
implement a timer/timeout againt a flow that matched on the said rule,
and if a flow got stuck in a particular state or the stream didn't
advance further, I would want suricata to timeout the flow, as well as
send a RST down to the server and the client both. I don't think
there is a workaround either to support things like this. This can be
a feature though.
xml - I don't think suricata has a xml parser. Need to peek into
libhtp to check this.
sql, xss - Comes down to writing good rules. Ideally for these 2
cases, I would have wanted a keyword like
http_args(https://redmine.openinfosecfoundation.org/issues/1194) to
make life simple. You can still write decent rules for this using the
current http_* keywords we have.
--
-------------------------------
Anoop Saldanha
http://www.poona.me
-------------------------------
More information about the Oisf-users
mailing list