Snort mailing list archives
Re: Snort on web servers behind reverse proxies
From: Tudor Panaitescu <TPanaitescu () colorcon com>
Date: Thu, 1 May 2008 22:22:40 -0400
Hi Jason, Thanks for the information. I took a look at snortunified.pm and I am a little confused, please keep in mind that I haven't written a line of code in over 12 years now so it is pretty hard for me to look at the code. Do you have any hints for me regarding the usage ? I am using barnyard now for logging to a mysql database + Base, can the software you recommended replace barnyard ? Thanks, Tudor Jason <security@brvenik .com> To Tudor Panaitescu 05/01/2008 12:10 <TPanaitescu () colorcon com> PM cc snort-users () lists sourceforge net Subject Re: [Snort-users] Snort on web servers behind reverse proxies you will have to post process it. check out snortunified.pm for a framework tat makes it easy. Tudor Panaitescu wrote:
Hi First of all I did some research and couldn't find anything about this,
so
no flames please :-) Here is the story. We have some reverse proxies/application accelerators/etc. (let's call them reverse proxies for now) in front of
our
web site. We don't control these reverse proxies and I am not sure if the provider has any IDS capabilities on those. I have snort (2.8.0.2) installed on the actual web servers but the only thing that I see in the alerts is the IP addresses of the reverse proxies, which is normal. Now, the reverse proxies, in their http requests to the web servers, they add
2
entries in the headers: X-Forwarded-For: <origin's IP address> and True-Client-IP: <origin's IP address>. Is it a way to modify the rules to alert using any of these IP addresses instead of the IP address(es) of
the
reverse proxies ? Any help/idea would be appreciated. Thanks and all the best, Tudor Visit us at http://www.colorcon.com NOTICE: This e-mail contains confidential and/or proprietary information,
some or all of which may be legally privileged. It is intended only for the named recipient. If an addressing or transmission error has misdirected the e-mail,
please notify the author by replying to this message. If you are not the
named recipient you must not use, disclose, distribute, copy, print, or rely on this e-mail, and should immediately delete it from your computer system.
Thank you. * ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Visit us at http://www.colorcon.com NOTICE: This e-mail contains confidential and/or proprietary information, some or all of which may be legally privileged. It is intended only for the named recipient. If an addressing or transmission error has misdirected the e-mail, please notify the author by replying to this message. If you are not the named recipient you must not use, disclose, distribute, copy, print, or rely on this e-mail, and should immediately delete it from your computer system. Thank you. * ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort on web servers behind reverse proxies Tudor Panaitescu (May 01)
- Re: Snort on web servers behind reverse proxies Joel Esler (May 01)
- Re: Snort on web servers behind reverse proxies Tudor Panaitescu (May 01)
- Re: Snort on web servers behind reverse proxies Jack Pepper (May 01)
- Re: Snort on web servers behind reverse proxies Tudor Panaitescu (May 01)
- Re: Snort on web servers behind reverse proxies Jason (May 01)
- Re: Snort on web servers behind reverse proxies Tudor Panaitescu (May 01)
- Re: Snort on web servers behind reverse proxies Joel Esler (May 01)