The correct location of suricata-IDS

Hack3rcon · September 14, 2023, 12:50pm

Hello,
To protect a website from attacks, I want to use Suricata. Can I install Suricata-IDS on the same web server or should I install it on another server and put the web server behind Suricata-IDS?

Thank you.

Hack3rcon · October 3, 2023, 7:45pm

Hello,
No idea?

Thanks.

samiux · October 5, 2023, 4:17pm

Since Suricata does not handle SSL/TLS well, I think it is not suitable for working as WAF (Web Application Firewall). You better to get a WAF for your website.

Hack3rcon · October 5, 2023, 6:32pm

Hello,
Thank you so much for your reply.
So shouldn’t I install Suricata-IDS on a web server like the Apache?

How about this setup?

Internet ---> Apache Reverse Proxy + Suricata-IDS ---> Website

ish · October 5, 2023, 6:35pm

You could, but why not run a real WAF at the reverse proxy then?

Hack3rcon · October 5, 2023, 6:46pm

Hello,
Thank you so much for your reply.
Can’t Suricata-IDS in IPS mode stop some attacks?

jufajardini · October 5, 2023, 7:02pm

It can, but it could also stop traffic that you want to go through.

Suricata in IPS mode is usually something to be used by someone who is already more familiar with the engine, or at least in very experimental environments, at first.

Hack3rcon · October 5, 2023, 7:15pm

Hello,
Thank you so much for your reply.
Why might Suricata-IDS also block legal traffic?

jufajardini · October 5, 2023, 7:18pm

(Talking about Suricata in IPS mode, here). There can always be false positives, especially when still tuning a tool.

This could lead to “legal traffic” being blocked, for instance. Your rules need to be really well-tuned, I would say, to avoid that.

Hack3rcon · October 5, 2023, 7:25pm

Thanks again.
1- Is this a Suricata-IDS problem or do other products like the Snort have the same problem?

2- Can’t or shouldn’t I install Suricata-IDS on the main web server? Does Suricata-IDS have to be installed on a web server like a reverse proxy?

jufajardini · October 6, 2023, 2:03pm

No problems!

A1: I would say that whenever you are dealing with real traffic and trying to block potential threats you’ll incur the risk of blocking legal traffic on occasion, so I would say any tool, not something specific to Suricata.

A2: As to your other question, folks have offered some answers, so I don’t feel I have much to add there.

Hack3rcon · October 6, 2023, 5:56pm

Hello,
Thank you so much for your reply.
In the picture below, I can see that Suricata-IDS and the web server are installed together:

iptables2

jufajardini · October 6, 2023, 7:15pm

If this is a personal project, and not something in production, you could give it a go and see how it goes, then you’ll have your experience on how things go

Hack3rcon · October 7, 2023, 5:30am

Hello,
What is your experience about this?

jufajardini · October 7, 2023, 5:14pm

I am a Suricata developer, so that’s not my area of expertise, that’s why I pointed out to what the other folks have answered here. In any case, such a setup seems like something that should be experimented on a lot, before trying to make it work on production…

Hack3rcon · October 8, 2023, 6:40am

Hello,
Thank you so much for all the replies.

Topic		Replies	Views
An IDS/IPS can't protect my web server? Help	12	1743	March 6, 2021
Use Suricata-IDS as a WAF Help	5	2337	February 8, 2021
How to setup Suricata-IDS between a Device and a server? Help	1	320	March 1, 2021
Suricata with Nginx Reverse Proxy Help	3	1353	July 12, 2022
How to setup Surciata-IDS between the Internet and web server? Help	14	1998	April 14, 2021

The correct location of suricata-IDS

Related Topics