FireBall
asked on
suricata drop unknown user agent
how should i be sure that suricata dropping that traffic or not useragent unknown
10/08/2015-17:08:55.167477 www.xxx.com [**] / [**] <useragent unknown> [**] 89.184.73.241:58668 -> 37.123.101.43:80
10/08/2015-17:08:55.212255 www.xxx.com [**] / [**] <useragent unknown> [**] 89.184.75.24:43520 -> 37.123.101.43:80
10/08/2015-17:08:55.386484 www.xxx.com [**] / [**] <useragent unknown> [**] 89.184.73.241:58770 -> 37.123.101.43:80
10/08/2015-17:08:55.652528 www.xxx.com [**] / [**] <useragent unknown> [**] 89.184.73.241:58830 -> 37.123.101.43:80
10/08/2015-17:08:56.105059 www.xxx.com [**] / [**] <useragent unknown> [**] 89.184.75.24:43825 -> 37.123.101.43:80
10/08/2015-17:08:56.145159 www.xxx.com [**] / [**] <useragent unknown> [**] 77.87.197.102:42975 -> 37.123.101.43:80
10/08/2015-17:08:56.477456 www.xxx.com [**] / [**] <useragent unknown> [**] 77.87.197.102:43199 -> 37.123.101.43:80
10/08/2015-17:08:56.544917 www.xxx.com [**] / [**] <useragent unknown> [**] 89.184.75.24:43983 -> 37.123.101.43:80
ASKER
should i use suricata on a machine which is configured to bridge interfaces with no apache for to clean this type of traffic ? have you ever tried sth. like that ?
i want to do sth like that
Switch ---- SURICATA SERVER ----- Web hosting server
should it clean the traffic as given above ?
i want to do sth like that
Switch ---- SURICATA SERVER ----- Web hosting server
should it clean the traffic as given above ?
as drawn it is inline, I do suggest you consider this placement which you can still function as bridge. The example uses br0, as the bridge interface and the need to add iptables rules for the FORWARD chain, for traffic traversing the bridge.
http://taosecurity.blogspot.sg/2014/01/suricata-20beta2-as-ips-on-ubuntu-1204.html
http://taosecurity.blogspot.sg/2014/01/suricata-20beta2-as-ips-on-ubuntu-1204.html
ASKER
Waf is suricata
First link on the left for out bound
Second link on the left is udp inbound
third link on the left is tcp inbound
under the srx 80 port is redirecting to the WAF
end ex 4500 keeping all gateways on it mx is just using for static routes.
So i think that should success to clean up illegal http traffic
First link on the left for out bound
Second link on the left is udp inbound
third link on the left is tcp inbound
under the srx 80 port is redirecting to the WAF
end ex 4500 keeping all gateways on it mx is just using for static routes.
So i think that should success to clean up illegal http traffic
suricata is not waf per se, you should at least go for mod_security. Ips vs waf is very different. nonetheless, i see your intent is to inspect the inbound traffic only. the bridge is supposed to alright - I assuming your other traffic routing is fine.
you probably can run tcpdump for the suricata interfaces to see the traffic that is expected incoming but I am thinking does the tcp 3 way handshake actually is established with traffic of NEW, ESTABLISHED minimally...also note the example link is using NFQUEUE in iptables rules so that it will send packets to Suricata for processing. https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux
you probably can run tcpdump for the suricata interfaces to see the traffic that is expected incoming but I am thinking does the tcp 3 way handshake actually is established with traffic of NEW, ESTABLISHED minimally...also note the example link is using NFQUEUE in iptables rules so that it will send packets to Suricata for processing. https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Setting_up_IPSinline_for_Linux
ASKER
Yes but our main aim point is to protect port 80 from botnet attacks. We have no other problem on our network .
Do you have a waf advice that works like squid proxy. I mean which does not require a config for each web site and apply owasp rules on this mode
Do you have a waf advice that works like squid proxy. I mean which does not require a config for each web site and apply owasp rules on this mode
waf should be able to handle transparent bridge like layer 2 inspection too.
https://techlib.barracuda.com/waf/deploymentmode
https://techlib.barracuda.com/waf/deploymentmode
ASKER
yes we have talked the them but their software needs to create each site's config on the waf
that is what it has to as t ogo into that L7 layer you need that specific handling. However, that there may means of lesser hassle though it is not a straight off like placing an ips. see F5 transparent mode, better to check with their technical team to drill into your use case...
https://devcentral.f5.com/questions/asm-transparent-bridge-mode-detect-capabilities
https://devcentral.f5.com/questions/asm-transparent-bridge-mode-detect-capabilities
ASKER
yes but squid + nginx is a good partner to worki without writing config on a server . Which can handle the traffic from wan and get responses from lan.
But i could not find 2 things
1. mod_security and nginx integration
2. showing the default proxy squid and redirecting all connections to the squid
But i could not find 2 things
1. mod_security and nginx integration
2. showing the default proxy squid and redirecting all connections to the squid
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you so much for this good conversation and for your time i will check deeper with this links
thanks for sharing
Good to check inside your Suricata.yaml, which contains the configuration of Suricata that signature such as "useragent unknown" (or equivalent) should have the Action property that stated to have it "Drop".
See the action for information
>For Drop, it is only concern about the IPS/inline mode. If the program finds a signature that matches, containing drop, it stops immediately. So what we should observe in "Drop" is the receiver does not receive a message of what is going on, resulting in a time-out (certainly with TCP). Suricata generates an alert for this packet.
>For Alert, it is when a signature matches and contains alert. Only the system administrator can notice this alert.
>For Reject, Both receiver and sender receive a reject packet. Slightly different from the "Drop" is that if the offending packet concerns TCP, it will be a Reset-packet. For all other protocols it will be an ICMP-error packet. But when it is in Inline/IPS mode, the offending packet will also be dropped like with the 'Drop' action.
Ref - https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml