Use Suricata-IDS as a WAF

Is it possible to use Suricata-IDS as a WAF? Something like “ModSecurity” or “Shadow Daemon”.

Thank you.

No, not really. The biggest obstacle is with encryption, without extra TLS decryptors you just can’t see whats happening over the majority of http traffic these days. If you need a WAF, you should probably use a WAF as they shouldn’t have this issue.

1 Like

If Suricata-IDS run in drop mode then?

Its more about what it can see. As most traffic is HTTPS these days, Suricata can’t see it other than the TLS details. A real WAF usually works post-decryption so can see all. If you need a WAF, you need a WAF, not Suricata.

1 Like

Can Suricata-IDS implement it in the future?

No, I don’t think so. WAFs, usually implemented as a proxy are way more aware of the HTTP sessions they are protecting. They are differnet tools for different jobs.

1 Like