The correct location of suricata-IDS

Hello,
To protect a website from attacks, I want to use Suricata. Can I install Suricata-IDS on the same web server or should I install it on another server and put the web server behind Suricata-IDS?

Thank you.

Hello,
No idea?

Thanks.

Since Suricata does not handle SSL/TLS well, I think it is not suitable for working as WAF (Web Application Firewall). You better to get a WAF for your website.

1 Like

Hello,
Thank you so much for your reply.
So shouldn’t I install Suricata-IDS on a web server like the Apache?

How about this setup?

Internet ---> Apache Reverse Proxy + Suricata-IDS ---> Website

You could, but why not run a real WAF at the reverse proxy then?

1 Like

Hello,
Thank you so much for your reply.
Can’t Suricata-IDS in IPS mode stop some attacks?

It can, but it could also stop traffic that you want to go through.

Suricata in IPS mode is usually something to be used by someone who is already more familiar with the engine, or at least in very experimental environments, at first.

1 Like

Hello,
Thank you so much for your reply.
Why might Suricata-IDS also block legal traffic?

(Talking about Suricata in IPS mode, here). There can always be false positives, especially when still tuning a tool.

This could lead to “legal traffic” being blocked, for instance. Your rules need to be really well-tuned, I would say, to avoid that.

2 Likes

Thanks again.
1- Is this a Suricata-IDS problem or do other products like the Snort have the same problem?

2- Can’t or shouldn’t I install Suricata-IDS on the main web server? Does Suricata-IDS have to be installed on a web server like a reverse proxy?

No problems!

A1: I would say that whenever you are dealing with real traffic and trying to block potential threats you’ll incur the risk of blocking legal traffic on occasion, so I would say any tool, not something specific to Suricata.

A2: As to your other question, folks have offered some answers, so I don’t feel I have much to add there. :slight_smile:

Hello,
Thank you so much for your reply.
In the picture below, I can see that Suricata-IDS and the web server are installed together:

iptables2

If this is a personal project, and not something in production, you could give it a go and see how it goes, then you’ll have your experience on how things go :slight_smile:

Hello,
What is your experience about this?

I am a Suricata developer, so that’s not my area of expertise, that’s why I pointed out to what the other folks have answered here. In any case, such a setup seems like something that should be experimented on a lot, before trying to make it work on production…

1 Like

Hello,
Thank you so much for all the replies.

1 Like