[Oisf-users] Protecting APIs

Peter Manev petermanev at gmail.com
Tue Aug 19 15:29:04 UTC 2014


On Tue, Aug 19, 2014 at 2:58 PM, Anoop Saldanha <anoopsaldanha at gmail.com> wrote:
> On Tue, Aug 19, 2014 at 5:53 PM, Ray Counterman <raycounterman at gmail.com> wrote:
>> In exposing APIs to clients over the Internet there is a different threat
>> model as APIs are fundamentally different from Web sites and have an
>> entirely unique risk profile that must be addressed.  Can Suricata help
>> protect against threats to APIs? Some examples are DoS; XML, SQL and Code
>> injection; Cross-site Scripting (XSS), and others.  Has anyone used Suricata
>> to protect APIs?
>>
>
> From where  I see, it should come down to running it inline(needs to
> be combined with active response for things like dos), or in active
> response(response reject), and writing meaningful rules.
>
> DoS: This can be tricky I suppose.  I can see cases where this needs
> direct support inside suricata, which it currently doesn't have. For
> example if I wanted to prevent slow dos, I would expect suricata to
> implement a timer/timeout againt a flow that matched on the said rule,
> and if a flow got stuck in a particular state or the stream didn't
> advance further, I would want suricata to timeout the flow, as well as
> send a RST down to the server and the client both.  I don't think
> there is a workaround either to support things like this.  This can be
> a feature though.

Personally I am really interested in a build in DoS support feature
inside the Suricata's engine that can be "enabled/disabled".
How easy/difficult/feasible would it be and what would be the pros and
cons of a build in feature like this?

>
> xml - I don't think suricata has a xml parser.  Need to peek into
> libhtp to check this.
>
> sql, xss - Comes down to writing good rules.  Ideally for these 2
> cases, I would have wanted a keyword like
> http_args(https://redmine.openinfosecfoundation.org/issues/1194) to
> make life simple.  You can still write decent rules for this using the
> current http_* keywords we have.
>
> --
> -------------------------------
> Anoop Saldanha
> http://www.poona.me
> -------------------------------
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/



-- 
Regards,
Peter Manev



More information about the Oisf-users mailing list