0

Requirement

I want to secure my production VMs on AWS, these VMs host critical web applications and can see around 500 Mbps traffic during peak hours. I already using mod_security WAF but I am not very happy with it.

Here is what I am thinking:

What if I can use snort in a lightweight configuration to monitor only HTTP traffic (this would be behind SSL termination) and use opensource XSS and SQLi rules to add an additional layer of protection ? The number of rules will be > 100.

By the time traffic hits my VMs it will be unencrypted. Moreover as I am using snort as on the same host, there wont be much of a semantic gap ( WAF has an edge over IPS since it builds richer app layer context and can detect layer 7 attacks more accurately). Is this understanding correct ?

I can spare around 200Mb of memory and can take 10% overhead on CPU performance.

Is snort the best bet here ? I looked at Suricata which seems to be easier on CPU but hard on memory. Please let me know if this makes sense at all. I want to stick to open source solutions.

Iornman l
  • 21
  • 1
  • 5
  • Snort is a NIDS . Do you want a NIDS or a HIDS? – Neil McGuigan Mar 23 '16 at 17:44
  • I want something like snort to run on one VM monitor only traffic hitting that VM. I have other tools for file integrity etc per VM. The reson I want to move snort from network to VM is, I think snort will not be able to accurately detect Web application attacks at perimeter. It will be able to do so in a better way if it is on the VM where application is running. E.g. It will see SQL queries the way MySQL will see, which might not be true when snort is sitting at perimeter. – Iornman l Mar 23 '16 at 17:52

0 Answers0