Re: Sensor placement with presence of web proxies

[Joel Esler <jesler () sourcefire com>]

We have the X-Forwarded-For (etc) header logging in Snort to deal with just
this problem.

Saying that, I've seen a sensor deployed in both ways (inside the proxy and
outside the proxy) inside the proxy (client desktop side) is much preferred.

Also, saying that, make sure if your proxy does any proxying over some
strange port, make sure it's in http_inspect and HTTP_PORTS for now.

J

On Thu, Jan 26, 2012 at 5:02 PM, Jefferson, Shawn <
Shawn.Jefferson () bcferries com> wrote:

> Hi Martin,
>
> I have the exact configuration* you are describing, and I have wondered
> the same thing.  I do get alerts for proxy-bound HTTP traffic, so I am
> fairly comfortable that detection is still working correctly.  I think I've
> even asked the same question on this list with no answers.  I'm interested
> in verifying this as well.
>
> *We actually have two scenarios:
>
> 1. Explicit proxy configuration.
> 2. WCCP redirect of 80/443 traffic.
>
> Both seem to generate alerts from Snort still.
>
>
> -----Original Message-----
> From: Martin Holste [mailto:mcholste () gmail com]
> Sent: Thursday, January 26, 2012 1:54 PM
> To: <snort-users () lists sourceforge net>
> Subject: [Snort-users] Sensor placement with presence of web proxies
>
> Our org is looking at using web proxies without changing settings on the
> client.  This can involve using Cisco's WCCP or policy-based routing to
> marshal traffic that would normally go to the Internet to a proxy.  As I
> understand it, the proxy makes the request, returns the response to the
> router, and the router returns the response to the client.  My question is
> if anyone has run into problems with a tap or span on the side of the
> router closest to the client.  That is, does the proxy change the traffic
> enough to interfere?  It seems nonsensical to put the sensor at the edge of
> the network since the requests will have the source IP of the proxy, not
> the actual client, but that means that the traffic the IDS inspects will be
> inauthentic versus what the remote host on the Internet actually sent.
> Theoretically, it should be the same traffic, but I'm wondering if anyone
> can confirm that.  I'm especially concerned with appliances that reorder or
> normalize HTTP headers, etc.
>
> Thanks,
>
> Martin
>
>
> ------------------------------------------------------------------------------
> Keep Your Developer Skills Current with LearnDevNow!
> The most comprehensive online learning library for Microsoft developers is
> just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro
> Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
> ------------------------------------------------------------------------------
> Keep Your Developer Skills Current with LearnDevNow!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



-- 
Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
http://blog.clamav.net
Twitter:  http://twitter.com/snort

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!