Snort mailing list archives
Re: snort and squid
From: Seth <sethsec () gmail com>
Date: Fri, 18 Jan 2008 13:18:46 -0500
Helmut, Did you also add 3128 to the http_inspect preprocessor? ie: http_inspect_server: server default profile all ports {80 3128} -Seth On Jan 18, 2008 10:14 AM, Helmut Schneider <jumper99 () gmx de> wrote:
Of course Snort will inspect the traffic. However, to view the internal ip, if the proxy is rewriting the Source IP, then it's a limitation. If your intention is other, please clarify. I'm afraid I am not sure I understand what you are asking then.It shouldn't matter if I inspect traffic from the proxy to the webserver or from the client to the proxy, the content should be the same. But - I put snort on the proxy and changed HTTP_PORTS to 3128. I use the same snort.conf for the external sensor and for the sensor on the proxy. Now, what happens is, that I hit certain rules (e.g. SHELLCODE x86 NOOP, Invalid FTP Command, and some more, so the sensor itself is working fine) but I do not hit the porn or policy rules. I can wireshark the traffic from the client to the proxy, I see the words 'porn' or 'masturbate' or whatever in cleartext but snort does not hit some rules at all. At the same time the rules for porn or policy *are* hit on the external sensor. So now I wonder why the external sensor hits the rules while the sensor on the proxy does not. Althought I use exactly the same snort.conf except of HTTP_PORTS. Hope that clarifies. :) Helmut ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort and squid Helmut Schneider (Jan 17)
- Re: snort and squid Paul Melson (Jan 17)
- Re: snort and squid Helmut Schneider (Jan 17)
- Re: snort and squid Joel Esler (Jan 17)
- Re: snort and squid Helmut Schneider (Jan 18)
- Re: snort and squid Joel Esler (Jan 18)
- Re: snort and squid Helmut Schneider (Jan 18)
- Re: snort and squid Seth (Jan 18)
- Re: snort and squid Helmut Schneider (Jan 18)
- Re: snort and squid Helmut Schneider (Jan 18)
- Re: snort and squid Paul Melson (Jan 17)