Cheap VPS & Xen Server

Residential Proxy Network - Hourly & Monthly Packages

Stronghenge Application Firewall

Stronghenge is an Out-of-Band Application Firewall that can inspect both HTTP and HTTPS traffic for attacks against your web applications. Since Stronghenge’s detection engine is based off of the most widely deployed IDS/IPS technology worldwide, Snort, it’s easy to start using. Additionally, since it’s an Out- of-Band solution it requires little to no modification to your existing network. With Snort’s powerful regular expression support, you can implement a positive or negative security model.

With it’s standalone decryption engine for RSA algorithms and custom Snort additions, it can be deployed as a single or multiple appliance configuration where one device can do decryption where the other can do detection and blocking. However, this tutorial will just cover how to deploy as a single appliance configuration.



  • Stronghenge Appliance Software
  • Server or VM with 64bit Architecture
    (if on VM make sure to have appropriate resources)
  • 1 Management interface.
  • 1 Injection interface.
  • 1 Promiscuous interface.
    (Management, Injection, and Promiscuous interfaces can be on the same physical interface if your network is configured in the appropriate way.)
  • Web server private keys
  • Web servers should be configured to use only use RSA for SSL negotiation.
  • Snort or Mod Security signature experience would be good too, but not necessary.



Download Stronghenge Appliance Software ISO from:

Boot hardware off of Install CD.


Install appliance:





Configure network interfaces:




In this scenario eth0 is the interface that will be in promiscuous mode and it will also be the management interface. Leave dummy0 and dummy1 interfaces unconfigured, these will be used to send decrypted traffic to.

Configure time zone:



Configuring NTP is a good idea since this is a firewall.

Log-in as root. The password is: stronghenge

Change root password:


Configure Snort:

nano /etc/snort/snort.conf

config response: device ethX attempts 10

Make sure to put the appropriate interface.

Edit INTERFACE setting to monitor appropriate interfaces. Note: dummy0 and dummy1 interfaces are where decrypted traffic should be sent. If unsure interfaces to monitor set to:


Update System with YaST:



Configure the reset interface:

nano /etc/snort/snort.conf

config response: device ethX attempts 10

Put the correct interface for ethX.


Log-in to the management console via a web browser: https://<<IP_OR_HOST_OF_APPLIANCE>>/


Username and Password: stronghenge

Configure user accounts:


Configure SSL decryption:


The source interface is the interface that in promiscuous mode and that can see the traffic. The destination interface is where the decrypted traffic will be sent; in most cases this will be one of the dummy interfaces. Any modifications will automatically be applied to the running services.

If you won’t be decrypting any SSL traffic, leave the default configuration.

Configure rules:


This is where the power of this appliance can be realized. There are a couple of default rules to get you started.

Test rules:



SSL vs Non-SSL


Advanced Configuration:

Tweaking the promiscuous interface

Use ethtool to get get better RX performance. To find out the max the card can support issue the following command, put the correct interface for ethX:

ethtool -g ethX

Now set the max RX rate substituting the appropriate values for ethX and max_value.

ethtool -G ethX rx max_value

To automatically set the value on boot:

echo “ethtool -G ethX rx max_value” >> /etc/init.d/boot.local


Tweaking Snort

For high traffic environments add the following parameters to the existing options in: /etc/snort/snort.conf

preprocessor stream5_global: memcap 268435456
preprocessor stream5_tcp: max_queued_segs 1073741824, max_queued_bytes 1073741824