Use Suricata-IDS as a WAF

Hack3rcon · February 5, 2021, 5:11pm

Hello,
Is it possible to use Suricata-IDS as a WAF? Something like “ModSecurity” or “Shadow Daemon”.

Thank you.

ish · February 5, 2021, 5:19pm

No, not really. The biggest obstacle is with encryption, without extra TLS decryptors you just can’t see whats happening over the majority of http traffic these days. If you need a WAF, you should probably use a WAF as they shouldn’t have this issue.

Hack3rcon · February 7, 2021, 6:22am

If Suricata-IDS run in drop mode then?

ish · February 7, 2021, 4:42pm

Its more about what it can see. As most traffic is HTTPS these days, Suricata can’t see it other than the TLS details. A real WAF usually works post-decryption so can see all. If you need a WAF, you need a WAF, not Suricata.

Hack3rcon · February 8, 2021, 9:18am

Can Suricata-IDS implement it in the future?

ish · February 8, 2021, 4:19pm

No, I don’t think so. WAFs, usually implemented as a proxy are way more aware of the HTTP sessions they are protecting. They are differnet tools for different jobs.

Topic		Replies	Views
An IDS/IPS can't protect my web server? Help	12	1899	March 6, 2021
The correct location of suricata-IDS Help	15	590	October 8, 2023
Suricata with Nginx Reverse Proxy Help	3	1772	July 12, 2022
Analyze HTTPS traffic with proxy Help suricata	5	1351	October 24, 2024
Hello Im newbie using Suricata Help centos , windows , rules , suricata	3	250	January 17, 2024

Use Suricata-IDS as a WAF

Related topics