Re: Snort on web servers behind reverse proxies

[Tudor Panaitescu <TPanaitescu () colorcon com>]

Hi Joel,

In my scenario the proxies are reverse proxies, they are not inside my
network and I am not worried about my internal IP addresses leaking out.
All parts are outside facing the world  wide wild Internet, the clients
(one of them could be you :-) ) come to my web server through a bunch of
reverse proxies forwarding requests to my actual web servers, something
like this: Client -> Reverse Proxy -> Web server. On the web server, the
only thing I see in terms of IP addresses is just the IP addresses of the
reverse proxy and NOT the client's IP address. The only info of the
originating IP address (client's IP address) comes via the headers added by
the reverse proxies, as I mentioned in my previous email.

For your scenario, given that you use squid, just disable the
X-forwarded-for, walk in the park

Hope this clarifies the scenario.

Thanks,
Tudor



                                                                           
             Joel Esler                                                    
             <joel.esler@sourc                                             
             efire.com>                                                 To 
                                       Tudor Panaitescu                    
             05/01/2008 11:25          <TPanaitescu () colorcon com>          
             AM                                                         cc 
                                       snort-users () lists sourceforge net   
                                                                   Subject 
                                       Re: [Snort-users] Snort on web      
                                       servers behind reverse proxies      
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




Okay, Let me clarify and you tell me if I am wrong or right.  You want
to write a Snort rule to detect if your proxies are sending your
inside ip's out to the internet?  Or are you asking how to modify your
proxies so that they don't send the IP's at all?

joel

On May 1, 2008, at 10:29 AM, Tudor Panaitescu wrote:

> Hi
>
> First of all I did some research and couldn't find anything about
> this, so
> no flames please :-)
>
> Here is the story. We have some reverse proxies/application
> accelerators/etc. (let's call them reverse proxies for now) in front
> of our
> web site. We don't control these reverse proxies and I am not sure
> if the
> provider has any IDS capabilities on those. I have snort (2.8.0.2)
> installed on the actual web servers but the only thing that I see in
> the
> alerts is the IP addresses of the reverse proxies, which is normal.
> Now,
> the reverse proxies, in their http requests to the web servers, they
> add 2
> entries in the headers: X-Forwarded-For: <origin's IP address> and
> True-Client-IP: <origin's IP address>. Is it a way to modify the
> rules to
> alert using  any of these IP addresses instead of the IP address(es)
> of the
> reverse proxies ?
>
> Any help/idea would be appreciated.
>
> Thanks and all the best,
> Tudor
>
>
> Visit us at http://www.colorcon.com
>
> NOTICE: This e-mail contains confidential and/or proprietary
> information, some or all of which may be legally privileged. It is
> intended only for the named recipient. If an addressing or
> transmission error has misdirected the e-mail,
> please notify the author by replying to this message. If you are not
> the named recipient you must not use, disclose, distribute, copy,
> print, or rely on this e-mail, and should immediately delete it from
> your computer system.
>
> Thank you. *
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save
> $100.
> Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


--
Joel Esler  joel.esler () sourcefire com





Visit us at http://www.colorcon.com

NOTICE: This e-mail contains confidential and/or proprietary information, some or all of which may be legally 
privileged. It is intended only for the named recipient. If an addressing or transmission error has misdirected the 
e-mail,
please notify the author by replying to this message. If you are not the named recipient you must not use, disclose, 
distribute, copy, print, or rely on this e-mail, and should immediately delete it from your computer system.

Thank you. *
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users