Re: https and http_inspect gives *many* false positives

[Edward van der Jagt <snort-users () evdj com>]

> > But I still would like to know if something unwanted is travelling
> > through
> > my proxy servers. If http_inspect is disabled for port 80, non-HTTPS
> > requests
> > will then be missed by the preprocessor. So if someone is attacking a
> > server,
> > internal (WAN) or external (Internet) by using some url based attack
> > which
> > http_inspect should detect, this url request will be made through the
> > proxy
> > (firewalls block direct access). Disabling the preprocessor is therefore
> > not a desirable option.
>
> All that only applies to internal attackers - correct? I mean your proxy
> server is only accessible by internal users isn't it? So do you really
> want to put up with this problem and the LARGE number of false positives
> you WILL see just so that you can discover if an internal user is
> attempting to break a Web server via your proxy? [I'm not saying that's
> a bad thing - it's just that most IDS people are only interested in
> external baddies - not internal]

Agreed. However in this case we are definitely interested in the
internal
baddies as well. We're talking big network, *many* users, and quite a
few
doing things they shouldn't do.
We've also seen confirmation that most attacks come from inside......

> Anyway, as this is a preprocessor, I think you're out of luck. If these
> alerts were caused by "alert" rules, you could simply put a "pass" rule
> above them saying something like "ignore port 80 connections starting
> with the string CONNECT" - which would cause HTTPS proxied queries to be
> ignored, and the rest to be still analysed. However, as this is a
> preprocessor, such logic does not apply.

> have a look at
> http://www.snort.org/docs/snort_manual/node19.html
> suppress gen_id 119, sig_id 1, track by_dst, ip [private_proxy_ip/32]
> suppress gen_id 119, sig_id 2, track by_dst, ip [private_proxy_ip/32]
> suppress gen_id 119, sig_id 3, track by_dst, ip [private_proxy_ip/32]
>
> You would be ignoring events from internal clients to your proxy server 
> but anything destined for the public address as a dst would still alert, 
> you should still catch the questionable requests passed by the proxy to 
> the internet or internal servers. Likewise, you could ignore them with a 

This sounds good. Request coming out of the proxy should be going to
regular ports (80/443). So they shouldn't be a problem anymore. We're
just going to have to correlate any positive events with the proxy log
then
but at least it is better than nothing.

> src of your local net and only see items from off net or your public 
> address for the proxy. It is not a perfect solution but better then 
> nothing. You should also look at using inspect_uri_only, it may be 
> appropriate for this proxy server.

If I understand the manual completely, this is about equal to disabling
the preprocessor altogether. Unless ofcourse any uricontent rules
require this preprocessor for them to work at all.

Anyway we'll try event suppression for now and see how well that works.


-------------------------------------------------------
This SF.net email is sponsored by: Perforce Software.
Perforce is the Fast Software Configuration Management System offering
advanced branching capabilities and atomic changes on 50+ platforms.
Free Eval! http://www.perforce.com/perforce/loadprog.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users