[Oisf-users] Would it be possible to run a query per http request?

Eliezer Croitoru eliezer at ngtech.co.il
Mon Nov 28 11:11:14 UTC 2016 

Hey,

Well I am using squid but squid breaks some traffic and I prefer to be less invasive or at-least to not break connections if I can.
In squid version 4 there is a big progress on that point but I want to know the options.
If I know I can answer clearly to others that asked and asks me.
Actually I like urlfilterdb and I was inspired by it and by the developer which gave lot's of point and I eventually wrote and published SquidBlocker[http://new.ngtech.co.il/squidblocker_en.html] which I am using as a client daily.
It's just that there are other products which costs money that offers a more "complete" and stable solution.
I do now know lua very much but maybe I will get into it to try and test the concept of using surricata with a DB backend.

Thanks for the pointers and help,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il


-----Original Message-----
From: Oisf-users [mailto:oisf-users-bounces at lists.openinfosecfoundation.org] On Behalf Of Andreas Herz
Sent: Monday, November 28, 2016 00:45
To: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Would it be possible to run a query per http request?

Hi,

On 25/11/16 at 14:35, Eliezer Croitoru wrote:
> Hey,
> 
> I am working with proxies for quite some time and I was wondering if 
> it would be possible to use surricata the next way:
> - Inspect http request
> - Verify against a DB the request URL
> - Deny or Allow the http request

If you can get the DB converted into rules or embedded via lua scripts that should work. Matching on http traffic and within that on specific requests isn't that difficult.

> I think that Surricata have an advantage over a proxy for plain http 
> since it can be less "invasive".

Why less invasive?

> Would it be possible? If so what are the recommendations?

You could try to run it with NFQ or AF_PACKET ips mode, add some signatures that use the http keyword and match on requests to specific URLs and test it with traffic.

I just think using squid with someting like urlfilterdb might be suited better for that purpose but it might be worth testing with suricata.

--
Andreas Herz
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Suricata User Conference November 9-11 in Washington, DC: http://suricon.net

More information about the Oisf-users mailing list