Discussion:
Monitoring web and proxy server with suricata
carlopmart
2011-03-28 08:23:08 UTC
Permalink
Hi all,

I am trying to monitor my proxy and web servers with a suricata
sensor. For the other monitor tasks, I am using snort.

If I am not wrong, suricata stores http accesss (and I supose alarms
too) in the http.log file, correct??. Actually, in this file only
appears access to my web servers like in apache access.log does:
practically is the same info. Is this right?? How can I prevent suricata
register the same info that apache does and store only http alarms related??

And another question is: how can I monitor my proxy servers (squid)??
Using default emergingthreats rules I can't see what host makes the
requests to these proxys. Alarms only reflects my proxys as the origin
of all requests. How can I prevent this??

The only thing that occurred to me is to modify the rules and add two
new variables: $PROXY_SERVERS and $PROXY_PORTS. Then, I have
added/modified rules like this:

"tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS" by "tcp $HOME_NET any
-> $PROXY_SERVERS $PROXY_PORTS"

Is this correct?? If that is correct, how do I define $HOME_NET if I
just want to monitor the proxy servers??

Many thanks for your help.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Victor Julien
2011-03-28 08:38:21 UTC
Permalink
Post by carlopmart
Hi all,
I am trying to monitor my proxy and web servers with a suricata
sensor. For the other monitor tasks, I am using snort.
If I am not wrong, suricata stores http accesss (and I supose alarms
too) in the http.log file, correct??. Actually, in this file only
No, only requests are in http.log. Alerts are in fast.log or (depending
on your config) in other logs.
Post by carlopmart
practically is the same info. Is this right?? How can I prevent suricata
register the same info that apache does and store only http alarms related??
Just disable http.log in your suricata.yaml and enable fast.log.
Post by carlopmart
And another question is: how can I monitor my proxy servers (squid)??
Using default emergingthreats rules I can't see what host makes the
requests to these proxys. Alarms only reflects my proxys as the origin
of all requests. How can I prevent this??
Thats hard. Proxies generally set a Via or X-Forwarded-For header in the
request containing the ip of the original sender. But I see a lot of
request with forged headers, so I'd be hesitant to trust that. Currently
in Suricata there is no way to extract that and log it.

I guess the best solution would be to place suricata before the proxy
instead of after.
Post by carlopmart
The only thing that occurred to me is to modify the rules and add two
new variables: $PROXY_SERVERS and $PROXY_PORTS. Then, I have
"tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS" by "tcp $HOME_NET any
-> $PROXY_SERVERS $PROXY_PORTS"
Is this correct?? If that is correct, how do I define $HOME_NET if I
just want to monitor the proxy servers??
I'm not sure how that would help anything. Using such variables only
limits the number of ip's the rules are checked against. However if all
requests are coming from the proxy anyway nothing will change.

Cheers,
Victor
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
carlopmart
2011-03-28 08:47:32 UTC
Permalink
Post by Victor Julien
Post by carlopmart
practically is the same info. Is this right?? How can I prevent suricata
register the same info that apache does and store only http alarms related??
Just disable http.log in your suricata.yaml and enable fast.log.
Ok, thanks.
Post by Victor Julien
Post by carlopmart
And another question is: how can I monitor my proxy servers (squid)??
Using default emergingthreats rules I can't see what host makes the
requests to these proxys. Alarms only reflects my proxys as the origin
of all requests. How can I prevent this??
Thats hard. Proxies generally set a Via or X-Forwarded-For header in the
request containing the ip of the original sender. But I see a lot of
request with forged headers, so I'd be hesitant to trust that. Currently
in Suricata there is no way to extract that and log it.
I guess the best solution would be to place suricata before the proxy
instead of after.
Post by carlopmart
The only thing that occurred to me is to modify the rules and add two
new variables: $PROXY_SERVERS and $PROXY_PORTS. Then, I have
"tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS" by "tcp $HOME_NET any
-> $PROXY_SERVERS $PROXY_PORTS"
Is this correct?? If that is correct, how do I define $HOME_NET if I
just want to monitor the proxy servers??
I'm not sure how that would help anything. Using such variables only
limits the number of ip's the rules are checked against. However if all
requests are coming from the proxy anyway nothing will change.
Uhmm I see .. Then, the solution could be to configure suricata in
inline mode in the same host that I have installed squid and put squid
server in transparent mode and define only squid proxy servers's IPs as
a $HOME_NET??
--
CL Martinez
carlopmart {at} gmail {d0t} com
carlopmart
2011-03-28 15:07:09 UTC
Permalink
Post by carlopmart
Post by Victor Julien
Post by carlopmart
practically is the same info. Is this right?? How can I prevent suricata
register the same info that apache does and store only http alarms related??
Just disable http.log in your suricata.yaml and enable fast.log.
Ok, thanks.
Post by Victor Julien
Post by carlopmart
And another question is: how can I monitor my proxy servers (squid)??
Using default emergingthreats rules I can't see what host makes the
requests to these proxys. Alarms only reflects my proxys as the origin
of all requests. How can I prevent this??
Thats hard. Proxies generally set a Via or X-Forwarded-For header in the
request containing the ip of the original sender. But I see a lot of
request with forged headers, so I'd be hesitant to trust that. Currently
in Suricata there is no way to extract that and log it.
I guess the best solution would be to place suricata before the proxy
instead of after.
Post by carlopmart
The only thing that occurred to me is to modify the rules and add two
new variables: $PROXY_SERVERS and $PROXY_PORTS. Then, I have
"tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS" by "tcp $HOME_NET any
-> $PROXY_SERVERS $PROXY_PORTS"
Is this correct?? If that is correct, how do I define $HOME_NET if I
just want to monitor the proxy servers??
I'm not sure how that would help anything. Using such variables only
limits the number of ip's the rules are checked against. However if all
requests are coming from the proxy anyway nothing will change.
Uhmm I see .. Then, the solution could be to configure suricata in
inline mode in the same host that I have installed squid and put squid
server in transparent mode and define only squid proxy servers's IPs as
a $HOME_NET??
Is this the correct solution??

Thanks.
--
CL Martinez
carlopmart {at} gmail {d0t} com
carlopmart
2011-03-30 12:21:17 UTC
Permalink
Post by carlopmart
Post by carlopmart
Post by Victor Julien
Post by carlopmart
practically is the same info. Is this right?? How can I prevent suricata
register the same info that apache does and store only http alarms related??
Just disable http.log in your suricata.yaml and enable fast.log.
Ok, thanks.
Post by Victor Julien
Post by carlopmart
And another question is: how can I monitor my proxy servers (squid)??
Using default emergingthreats rules I can't see what host makes the
requests to these proxys. Alarms only reflects my proxys as the origin
of all requests. How can I prevent this??
Thats hard. Proxies generally set a Via or X-Forwarded-For header in the
request containing the ip of the original sender. But I see a lot of
request with forged headers, so I'd be hesitant to trust that. Currently
in Suricata there is no way to extract that and log it.
I guess the best solution would be to place suricata before the proxy
instead of after.
Post by carlopmart
The only thing that occurred to me is to modify the rules and add two
new variables: $PROXY_SERVERS and $PROXY_PORTS. Then, I have
"tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS" by "tcp $HOME_NET any
-> $PROXY_SERVERS $PROXY_PORTS"
Is this correct?? If that is correct, how do I define $HOME_NET if I
just want to monitor the proxy servers??
I'm not sure how that would help anything. Using such variables only
limits the number of ip's the rules are checked against. However if all
requests are coming from the proxy anyway nothing will change.
Uhmm I see .. Then, the solution could be to configure suricata in
inline mode in the same host that I have installed squid and put squid
server in transparent mode and define only squid proxy servers's IPs as
a $HOME_NET??
Is this the correct solution??
Thanks.
Nothing??
--
CL Martinez
carlopmart {at} gmail {d0t} com
Victor Julien
2011-03-30 12:36:00 UTC
Permalink
Post by carlopmart
Post by Victor Julien
Post by carlopmart
practically is the same info. Is this right?? How can I prevent suricata
register the same info that apache does and store only http alarms related??
Just disable http.log in your suricata.yaml and enable fast.log.
Ok, thanks.
Post by Victor Julien
Post by carlopmart
And another question is: how can I monitor my proxy servers (squid)??
Using default emergingthreats rules I can't see what host makes the
requests to these proxys. Alarms only reflects my proxys as the origin
of all requests. How can I prevent this??
Thats hard. Proxies generally set a Via or X-Forwarded-For header in the
request containing the ip of the original sender. But I see a lot of
request with forged headers, so I'd be hesitant to trust that. Currently
in Suricata there is no way to extract that and log it.
I guess the best solution would be to place suricata before the proxy
instead of after.
Post by carlopmart
The only thing that occurred to me is to modify the rules and add two
new variables: $PROXY_SERVERS and $PROXY_PORTS. Then, I have
"tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS" by "tcp $HOME_NET any
-> $PROXY_SERVERS $PROXY_PORTS"
Is this correct?? If that is correct, how do I define $HOME_NET if I
just want to monitor the proxy servers??
I'm not sure how that would help anything. Using such variables only
limits the number of ip's the rules are checked against. However if all
requests are coming from the proxy anyway nothing will change.
Uhmm I see .. Then, the solution could be to configure suricata in
inline mode in the same host that I have installed squid and put squid
server in transparent mode and define only squid proxy servers's IPs as
a $HOME_NET??
I think this should be able to work. Don't think it's needed to run
inline though, as long as you just make sure Suricata sees the traffic
before the proxy gets to it.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
carlopmart
2011-03-30 12:41:08 UTC
Permalink
Post by Victor Julien
Post by carlopmart
Post by Victor Julien
Post by carlopmart
practically is the same info. Is this right?? How can I prevent suricata
register the same info that apache does and store only http alarms related??
Just disable http.log in your suricata.yaml and enable fast.log.
Ok, thanks.
Post by Victor Julien
Post by carlopmart
And another question is: how can I monitor my proxy servers (squid)??
Using default emergingthreats rules I can't see what host makes the
requests to these proxys. Alarms only reflects my proxys as the origin
of all requests. How can I prevent this??
Thats hard. Proxies generally set a Via or X-Forwarded-For header in the
request containing the ip of the original sender. But I see a lot of
request with forged headers, so I'd be hesitant to trust that. Currently
in Suricata there is no way to extract that and log it.
I guess the best solution would be to place suricata before the proxy
instead of after.
Post by carlopmart
The only thing that occurred to me is to modify the rules and add two
new variables: $PROXY_SERVERS and $PROXY_PORTS. Then, I have
"tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS" by "tcp $HOME_NET any
-> $PROXY_SERVERS $PROXY_PORTS"
Is this correct?? If that is correct, how do I define $HOME_NET if I
just want to monitor the proxy servers??
I'm not sure how that would help anything. Using such variables only
limits the number of ip's the rules are checked against. However if all
requests are coming from the proxy anyway nothing will change.
Uhmm I see .. Then, the solution could be to configure suricata in
inline mode in the same host that I have installed squid and put squid
server in transparent mode and define only squid proxy servers's IPs as
a $HOME_NET??
I think this should be able to work. Don't think it's needed to run
inline though, as long as you just make sure Suricata sees the traffic
before the proxy gets to it.
Many thanks Victor. I will try it as soon as possible.
--
CL Martinez
carlopmart {at} gmail {d0t} com
Loading...