[Oisf-users] writing custom rule

[Nelson, Cooper]

This is a common discussion, recommend best practice is use a WAF for active defense and monitor the decrypted traffic with suricata.

Any time signatures are involved best practice is to have more than one source.  

-Coop

-----Original Message-----
From: Oisf-users <oisf-users-bounces at lists.openinfosecfoundation.org> On Behalf Of Vieri
Sent: Friday, February 22, 2019 1:28 AM
To: Greg Grasmehr <greg.grasmehr at caltech.edu>
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] writing custom rule

 
On Friday, February 22, 2019, 2:47:49 AM GMT+1, Greg Grasmehr <greg.grasmehr at caltech.edu> wrote: 
>
> Your only option is to drop those connections on the destination 
> server itself or you could also use a mod_security proxy to perform 
> that action, a WAF is the optimal solution in cases like this.

Thanks. I'd like to protect a non-Apache https web server from external attacks.
I guess I would need to configure a reverse proxy with both Apache mod_proxy and mod_security.
I configured a Squid reverse proxy to my non-Apache server. Never tried Apache mod_proxy.

So, this is a non-suricata topic.

Thanks again,

Vieri
_______________________________________________
Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users

Conference: https://suricon.net
Trainings: https://suricata-ids.org/training/