Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort on web servers behind reverse proxies

From: Tudor Panaitescu <TPanaitescu () colorcon com>
Date: Thu, 1 May 2008 22:22:40 -0400


Hi Jason,

Thanks for the information. I took a look at snortunified.pm and I am a
little confused, please keep in mind that I haven't written a line of code
in over 12 years now so it is pretty hard for me to look at the code. Do
you have any hints for me regarding the usage ? I am using barnyard now for
logging to a mysql database + Base, can the software you recommended
replace barnyard ?

Thanks,
Tudor



                                                                           
             Jason                                                         
             <security@brvenik                                             
             .com>                                                      To 
                                       Tudor Panaitescu                    
             05/01/2008 12:10          <TPanaitescu () colorcon com>          
             PM                                                         cc 
                                       snort-users () lists sourceforge net   
                                                                   Subject 
                                       Re: [Snort-users] Snort on web      
                                       servers behind reverse proxies      
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




you will have to post process it. check out snortunified.pm for a
framework tat makes it easy.

Tudor Panaitescu wrote:


Hi

First of all I did some research and couldn't find anything about this,

so

no flames please :-)

Here is the story. We have some reverse proxies/application
accelerators/etc. (let's call them reverse proxies for now) in front of

our

web site. We don't control these reverse proxies and I am not sure if the
provider has any IDS capabilities on those. I have snort (2.8.0.2)
installed on the actual web servers but the only thing that I see in the
alerts is the IP addresses of the reverse proxies, which is normal. Now,
the reverse proxies, in their http requests to the web servers, they add

2

entries in the headers: X-Forwarded-For: <origin's IP address> and
True-Client-IP: <origin's IP address>. Is it a way to modify the rules to
alert using  any of these IP addresses instead of the IP address(es) of

the

reverse proxies ?

Any help/idea would be appreciated.

Thanks and all the best,
Tudor


Visit us at http://www.colorcon.com

NOTICE: This e-mail contains confidential and/or proprietary information,

some or all of which may be legally privileged. It is intended only for the
named recipient. If an addressing or transmission error has misdirected the
e-mail,

please notify the author by replying to this message. If you are not the

named recipient you must not use, disclose, distribute, copy, print, or
rely on this e-mail, and should immediately delete it from your computer
system.


Thank you. *

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.


http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





Visit us at http://www.colorcon.com

NOTICE: This e-mail contains confidential and/or proprietary information, some or all of which may be legally 
privileged. It is intended only for the named recipient. If an addressing or transmission error has misdirected the 
e-mail,
please notify the author by replying to this message. If you are not the named recipient you must not use, disclose, 
distribute, copy, print, or rely on this e-mail, and should immediately delete it from your computer system.

Thank you. *

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: