[Oisf-users] Suricata as a Web Firewall.

Thu Dec 6 03:02:27 UTC 2018

:me agrees with the architecture presented by Cooper!

There are way better, dedicated tools to do the job. Nginx with Lua as a WAF, or mod_security.

It has nothing to do with Suricata itself, it’s just about how powerful the architecture is, when sandwiched this way.

> On Dec 5, 2018, at 9:12 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
> 
> This is just my opinion, but I'm a fan of 'defense-in-depth', so my general model is to put your 'active' security controls in first (like a WAF); then use suricata to monitor how well they are working.
> 
> So I would use NGINX as a reverse-proxy/SSL terminator and the put something like Apache with mod_security behind it, with suricata monitoring the decrypted traffic.  Do one thing and do it well.
> 
> In general I do not like the 'IPS' model given how common false-positives are, combined with a simple core belief that we should be building robust software stacks, systems and networks vs. putting digital duct-tape on the wire.  That strikes me as simple sloppy engineering.  
> 
> -Coop
> 
>> On 12/5/2018 8:47 AM, Charles Devoe wrote:
>> Is theer a reason why Suricat could not be used as a WAF?  Peronally, it seems ot me that If I can use the same tool to accomplish two things I will be further ahead as I won’t have to learn another tool.
> -- 
> Cooper Nelson
> Network Security Analyst
> UCSD ITS Security Team
> cnelson at ucsd.edu x41042
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> 
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181205/222ad212/attachment.html>