[Oisf-users] Suricata as a Web Firewall.

Charles Devoe Charles.Devoe at cisecurity.org
Fri Dec 7 13:46:57 UTC 2018

My thought here was using a different intel source that has WAF specific rules and modifying the rules to work with Suricata.  The WAF and IDS would be deployed separately.  By doing this we become experts in one engine (Suricata) while performing both functions.  As a disclaimer I have never set up a WAF and I am not a rules writing expert.

From: Nelson, Cooper <cnelson at ucsd.edu>
Sent: Thursday, December 06, 2018 11:55 AM
To: Michał Purzyński <michalpurzynski1 at gmail.com>
Cc: Charles Devoe <Charles.Devoe at cisecurity.org>; oisf-users at lists.openinfosecfoundation.org
Subject: RE: [Oisf-users] Suricata as a Web Firewall.

It’s also a good idea to have multiple sources of threat intel, so in this example have a commercial vendor provide signatures for mod_security, while a different vendor provides them for suricata.


From: Michał Purzyński <michalpurzynski1 at gmail.com<mailto:michalpurzynski1 at gmail.com>>
Sent: Wednesday, December 5, 2018 7:02 PM
To: Nelson, Cooper <cnelson at ucsd.edu<mailto:cnelson at ucsd.edu>>
Cc: Charles Devoe <Charles.Devoe at cisecurity.org<mailto:Charles.Devoe at cisecurity.org>>; oisf-users at lists.openinfosecfoundation.org<mailto:oisf-users at lists.openinfosecfoundation.org>
Subject: Re: [Oisf-users] Suricata as a Web Firewall.

:me agrees with the architecture presented by Cooper!

There are way better, dedicated tools to do the job. Nginx with Lua as a WAF, or mod_security.

It has nothing to do with Suricata itself, it’s just about how powerful the architecture is, when sandwiched this way.

On Dec 5, 2018, at 9:12 PM, Cooper F. Nelson <cnelson at ucsd.edu<mailto:cnelson at ucsd.edu>> wrote:

This is just my opinion, but I'm a fan of 'defense-in-depth', so my general model is to put your 'active' security controls in first (like a WAF); then use suricata to monitor how well they are working.

So I would use NGINX as a reverse-proxy/SSL terminator and the put something like Apache with mod_security behind it, with suricata monitoring the decrypted traffic.  Do one thing and do it well.

In general I do not like the 'IPS' model given how common false-positives are, combined with a simple core belief that we should be building robust software stacks, systems and networks vs. putting digital duct-tape on the wire.  That strikes me as simple sloppy engineering.

On 12/5/2018 8:47 AM, Charles Devoe wrote:
Is theer a reason why Suricat could not be used as a WAF?  Peronally, it seems ot me that If I can use the same tool to accomplish two things I will be further ahead as I won’t have to learn another tool.


Cooper Nelson

Network Security Analyst

UCSD ITS Security Team

cnelson at ucsd.edu<mailto:cnelson at ucsd.edu> x41042
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org<mailto:oisf-users at openinfosecfoundation.org>
Site: http://suricata-ids.org<http://suricata-ids.org> | Support: http://suricata-ids.org/support/<http://suricata-ids.org/support/>
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users<https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users>

Conference: https://suricon.net<https://suricon.net>
Trainings: https://suricata-ids.org/training/<https://suricata-ids.org/training/>

This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.

. . . . .
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20181207/f36a4680/attachment.html>

More information about the Oisf-users mailing list