An IDS/IPS can't protect my web server?

Hack3rcon · February 19, 2021, 6:50am

Hello,
Is below figure OK?

Suricata-IDS in IPS mode can’t protect my Apache server?

Thank you.

Hack3rcon · February 23, 2021, 12:36pm

Hello,
Any opinion welcomed.

Thanks.

Jungho · February 25, 2021, 4:51pm

This question cannot be an equally clear answer under any circumstances. For example, if the Apache server is encrypted with TLS, it is difficult not only by Suricata, but also by other security solutions. However, if the area is decrypted by Apache server reverse proxy, etc., the story is different. I think the attached table is an extreme example.

Hack3rcon · February 26, 2021, 10:35am

Thank you for your reply.
Thus, Suricata-IDS in drop mode is just useful for HTTP and other protocols that doesn’t encrypt?
Then, the WAF is the only solution?

Jungho · February 27, 2021, 2:52am

WAF may be suitable if your server is encrypted with TLS. If your WAF is to detect requests that have already been decrypted, like modsecurity, there is no problem. However, WAF located in front of the web like Suricata must be decrypted through SSL/TLS Termination. Supporting SSL/TLS Termination means that already at this point, Suricata is also likely to check the decrypted traffic.

Hack3rcon · February 27, 2021, 10:05am

Thank you so much.
Is you mean:
Internet Traffic —> WAF —> Suricata-IDS —> Web site
Can you show me a diagram about it?

Jungho · March 2, 2021, 1:47pm

Internet → WAF → IDS/IPS → Web Server
The diagram above is correct.
However, in my actual experience, in this diagram, the SSL decryption entity (Termination) exists in the WAF location and the actual WAF(Dedicated) is often located behind the IDS/IPS.
This is only my experience, and there are various cases depending on the usage environment.

Hack3rcon · March 2, 2021, 6:07pm

Thank you.
For WAF and Suricata-IDS, I must have two servers. One for the ModSecurity and another one for Suricata-IDS. Can’t have both on one server?

Jungho · March 4, 2021, 8:18am

It is possible to configure the two solutions to work together on a single server, but it is not recommended for performance reasons. In addition, if it is configured in IPS mode (Suricata inline), the configuration is also complicated.

Hack3rcon · March 5, 2021, 9:30am

Thank you.
As a final word, Suricata-IDS and other security products can help my server if the connections are not encrypted?

Jungho · March 5, 2021, 1:10pm

If it’s not encrypted, it doesn’t matter.
Even if the connection is encrypted, it is limited, such as threshold detection or a combination of features of TCP, but some can be handled.

Hack3rcon · March 6, 2021, 3:35pm

Thus, Suricata-IDS can protect a server in HTTP mode and in the HTTPS mode, it just can handle some requests. Is it right?

Jungho · March 6, 2021, 3:43pm

Yes, that’s right.
When used properly, it can respond to threats.

Topic		Replies	Views
The correct location of suricata-IDS Help	15	376	October 8, 2023
Use Suricata-IDS as a WAF Help	5	2328	February 8, 2021
Suricata with Nginx Reverse Proxy Help	3	1336	July 12, 2022
Suricata-IDS and Apache attack Help	0	501	January 12, 2021
Can Suricata-IDS protect a service like vsftpd from Brute-force attack? Help	9	1712	August 23, 2020

An IDS/IPS can't protect my web server?

Related Topics