[Oisf-users] Suricata as a Web Firewall.

Nelson, Cooper cnelson at ucsd.edu
Thu Dec 6 16:54:42 UTC 2018

It’s also a good idea to have multiple sources of threat intel, so in this example have a commercial vendor provide signatures for mod_security, while a different vendor provides them for suricata.


From: Michał Purzyński <michalpurzynski1 at gmail.com>
Sent: Wednesday, December 5, 2018 7:02 PM
To: Nelson, Cooper <cnelson at ucsd.edu>
Cc: Charles Devoe <Charles.Devoe at cisecurity.org>; oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] Suricata as a Web Firewall.

:me agrees with the architecture presented by Cooper!

There are way better, dedicated tools to do the job. Nginx with Lua as a WAF, or mod_security.

It has nothing to do with Suricata itself, it’s just about how powerful the architecture is, when sandwiched this way.

On Dec 5, 2018, at 9:12 PM, Cooper F. Nelson <cnelson at ucsd.edu<mailto:cnelson at ucsd.edu>> wrote:

This is just my opinion, but I'm a fan of 'defense-in-depth', so my general model is to put your 'active' security controls in first (like a WAF); then use suricata to monitor how well they are working.

So I would use NGINX as a reverse-proxy/SSL terminator and the put something like Apache with mod_security behind it, with suricata monitoring the decrypted traffic.  Do one thing and do it well.

In general I do not like the 'IPS' model given how common false-positives are, combined with a simple core belief that we should be building robust software stacks, systems and networks vs. putting digital duct-tape on the wire.  That strikes me as simple sloppy engineering.

On 12/5/2018 8:47 AM, Charles Devoe wrote:
Is theer a reason why Suricat could not be used as a WAF?  Peronally, it seems ot me that If I can use the same tool to accomplish two things I will be further ahead as I won’t have to learn another tool.


Cooper Nelson

Network Security Analyst

UCSD ITS Security Team

cnelson at ucsd.edu<mailto:cnelson at ucsd.edu> x41042
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181206/e1857908/attachment.html>

More information about the Oisf-users mailing list