Snort mailing list archives
Re: Snort on web servers behind reverse proxies
From: Joel Esler <joel.esler () sourcefire com>
Date: Thu, 1 May 2008 11:25:41 -0400
Okay, Let me clarify and you tell me if I am wrong or right. You want to write a Snort rule to detect if your proxies are sending your inside ip's out to the internet? Or are you asking how to modify your proxies so that they don't send the IP's at all? joel On May 1, 2008, at 10:29 AM, Tudor Panaitescu wrote:
Hi First of all I did some research and couldn't find anything about this, so no flames please :-) Here is the story. We have some reverse proxies/application accelerators/etc. (let's call them reverse proxies for now) in front of our web site. We don't control these reverse proxies and I am not sure if the provider has any IDS capabilities on those. I have snort (2.8.0.2) installed on the actual web servers but the only thing that I see in the alerts is the IP addresses of the reverse proxies, which is normal. Now, the reverse proxies, in their http requests to the web servers, they add 2 entries in the headers: X-Forwarded-For: <origin's IP address> and True-Client-IP: <origin's IP address>. Is it a way to modify the rules to alert using any of these IP addresses instead of the IP address(es) of the reverse proxies ? Any help/idea would be appreciated. Thanks and all the best, Tudor Visit us at http://www.colorcon.com NOTICE: This e-mail contains confidential and/or proprietary information, some or all of which may be legally privileged. It is intended only for the named recipient. If an addressing or transmission error has misdirected the e-mail, please notify the author by replying to this message. If you are not the named recipient you must not use, disclose, distribute, copy, print, or rely on this e-mail, and should immediately delete it from your computer system. Thank you. * ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Joel Esler joel.esler () sourcefire com ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort on web servers behind reverse proxies Tudor Panaitescu (May 01)
- Re: Snort on web servers behind reverse proxies Joel Esler (May 01)
- Re: Snort on web servers behind reverse proxies Tudor Panaitescu (May 01)
- Re: Snort on web servers behind reverse proxies Jack Pepper (May 01)
- Re: Snort on web servers behind reverse proxies Tudor Panaitescu (May 01)
- Re: Snort on web servers behind reverse proxies Jason (May 01)
- Re: Snort on web servers behind reverse proxies Tudor Panaitescu (May 01)
- Re: Snort on web servers behind reverse proxies Joel Esler (May 01)