Snort mailing list archives
Re: Proxy woes
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Tue, 17 Nov 2009 16:46:18 -0500
I'm getting ready to deploy in the same fashion. The X-Forwarded-For header will work but it will be a PIA digging into every alert to find it and will make reporting on the number of hosts affected with a particular bot (or whatever else) pretty difficult. There might be a good idea for a proxy preprocessor in here somewhere to make tracking this easier. on that note... We currently do not have X-Forwarded-For turned on on our proxy. Is any one else concerned that it provide internal IP information to whatever the proxy is forwarding the request to? I guess if the client has something malicious on it whatever it is will already know what the internal IP is and could pass that on if it could make use of it... moot point? On Tue, Nov 17, 2009 at 3:52 PM, CunningPike <cunningpike () gmail com> wrote:
On Tue, Nov 17, 2009 at 11:52 AM, inetjunkmail <inetjunkmail () gmail com> wrote:We have an proxy server between our users and the Internet. The proxy server is explicitly configured in their browsers (not transparent). We'd like to use Snort with both VRT and Emerging rules to help identify bots. So I see two options: Put Snort outside proxy servers: Pro: Destination addresses are valid so they can be matched on by Emerging Bot rules Con: Internal user's IP is lost unless correlated against proxy logs since all source addresses are the proxy's external address Put Snort inside proxy servers: Pro: See the Internal client's IP address Con: All destination addresses are the proxy server since the destination web site is in the payload (not to mention the destination in the payload is likely a URL rather than IP) Is there any preprocessor or way to look at the traffic inside the proxy request and have the preprocessor pull the destination out and do a DNS lookup to identify the true destination IP before processing the rules? I understand the DNS overhead likely introduces too much delay; just looking for any possibilities.We have a setup pretty close to yours - our IDS is downstream of the proxy. If/when we get an alert, we inspect the X-Forwarded-For header to determine the IP address of the host that originated the request. CP ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Proxy woes inetjunkmail (Nov 17)
- Re: Proxy woes CunningPike (Nov 17)
- Re: Proxy woes Alan Ptak (Nov 17)
- Re: Proxy woes Joel Esler (Nov 17)
- Snort Ignores Filenames for alert_unified and log_unified? Eoin Miller (Nov 17)
- Re: Snort Ignores Filenames for alert_unified and log_unified? Eoin Miller (Nov 18)
- Re: Proxy woes Jason Wallace (Nov 17)
- Re: Proxy woes Joel Esler (Nov 17)
- Re: Proxy woes Alan Ptak (Nov 17)
- Re: Proxy woes CunningPike (Nov 17)