[Oisf-users] Suricata as a Web Firewall.
Nelson, Cooper
cnelson at ucsd.edu
Thu Dec 6 16:54:42 UTC 2018
It’s also a good idea to have multiple sources of threat intel, so in this example have a commercial vendor provide signatures for mod_security, while a different vendor provides them for suricata.
-Coop
From: Michał Purzyński <michalpurzynski1 at gmail.com>
Sent: Wednesday, December 5, 2018 7:02 PM
To: Nelson, Cooper <cnelson at ucsd.edu>
Cc: Charles Devoe <Charles.Devoe at cisecurity.org>; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata as a Web Firewall.
:me agrees with the architecture presented by Cooper!
There are way better, dedicated tools to do the job. Nginx with Lua as a WAF, or mod_security.
It has nothing to do with Suricata itself, it’s just about how powerful the architecture is, when sandwiched this way.
On Dec 5, 2018, at 9:12 PM, Cooper F. Nelson <cnelson at ucsd.edu<mailto:cnelson at ucsd.edu>> wrote:
This is just my opinion, but I'm a fan of 'defense-in-depth', so my general model is to put your 'active' security controls in first (like a WAF); then use suricata to monitor how well they are working.
So I would use NGINX as a reverse-proxy/SSL terminator and the put something like Apache with mod_security behind it, with suricata monitoring the decrypted traffic. Do one thing and do it well.
In general I do not like the 'IPS' model given how common false-positives are, combined with a simple core belief that we should be building robust software stacks, systems and networks vs. putting digital duct-tape on the wire. That strikes me as simple sloppy engineering.
-Coop
On 12/5/2018 8:47 AM, Charles Devoe wrote:
Is theer a reason why Suricat could not be used as a WAF? Peronally, it seems ot me that If I can use the same tool to accomplish two things I will be further ahead as I won’t have to learn another tool.
--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu<mailto:cnelson at ucsd.edu> x41042
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181206/e1857908/attachment.html>
More information about the Oisf-users
mailing list