1

I want to prevent attacks to my nginx server. How can I proxy the requests through snort to nginx server.

NFQueue's are a solution.I am able to pass packets to snort using the following rules

sudo snort -Q --daq nfq --daq-var --daq-var queue=1 -c /etc/snort/snort.conf

Now I have created the queue

sudo /usr/sbin/iptables -t nat -I PREROUTING -j NFQUEUE --queue-num 1
sudo /usr/sbin/iptables -I FORWARD -j NFQUEUE --queue-num 1

Is this enough or we need to do something else apart from this.

Nginx is running in the same system as snort.

manu_dilip_shah
  • 119
  • 4
  • If you are running both on the same server, then "in front" is not the correct term. You want to route the packets destined for the web service to snort and then back again. – schroeder Jul 02 '15 at 21:25

2 Answers2

1

If your question is about configure Snort as an IPS to protect your server, I believe you followed the right instructions to set it up. The rules you created seem legit; you'll have to download and keep rules up to date (I think PulledPork or Oinkcodes may help) if you haven't done it yet, and test it. It may also be convenient to create a service to start / restart / stop Snort.

If you want to know if using Snort is enough to secure your web server, sadly the answer is no…

1

a little off-topic: based on your scenario, running snort of protect nginx / web-request might be a little oversized. also, snort will be useless once you use https in your nginx.

if you primary target is to protect against webbased attacks then you might want to check out naxsi, a real nice and fast waf-solution for nginx and far superior to mod_security, except some special cases. there is also an extended ruleset for naxsi, doxi-rules, which derivates from the emerging threats - snort-rules.

that guy from over there
  • 1,355
  • 10
  • 11