Snort mailing list archives
Re: Alerts with the incorrect Source IP (proxy server)
From: Eric G <eric () nixwizard net>
Date: Wed, 24 Oct 2012 20:33:52 -0400
On Oct 24, 2012 2:42 PM, "Jeremy Hoel" <jthoel () gmail com> wrote:
Check that out.. learned something new. I don't have that value in my
conf either but that's something worth looking at. I didn't know about snort's xff option before Joel mentioned it either, but if it refers to the "X forwarded for" http header as I suspect it does, it might be turned off by default on your proxy appliance... we leave it off at work on our proxies because we'd rather not leak out our internal IP address scheme, and we have other ways of figuring put "who went where when" or "what traffic caused this rule to fire an alert?" At the end of the day, nothing beats good centralized logging and a packet capture appliance :) -- Eric
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Alerts with the incorrect Source IP (proxy server) Turnbough, Bradley E. (Oct 24)
- Re: Alerts with the incorrect Source IP (proxy server) Jeremy Hoel (Oct 24)
- Re: Alerts with the incorrect Source IP (proxy server) Joel Esler (Oct 24)
- Re: Alerts with the incorrect Source IP (proxy server) Turnbough, Bradley E. (Oct 24)
- Re: Alerts with the incorrect Source IP (proxy server) beenph (Oct 24)
- Re: Alerts with the incorrect Source IP (proxy server) Jeremy Hoel (Oct 24)
- Re: Alerts with the incorrect Source IP (proxy server) Eric G (Oct 24)
- Re: Alerts with the incorrect Source IP (proxy server) Heine Lysemose (Oct 25)
- Re: Alerts with the incorrect Source IP (proxy server) beenph (Oct 25)
- Re: Alerts with the incorrect Source IP (proxy server) Heine Lysemose (Oct 25)
- Re: Alerts with the incorrect Source IP (proxy server) Joel Esler (Oct 24)
- Re: Alerts with the incorrect Source IP (proxy server) Jeremy Hoel (Oct 24)
- Re: Alerts with the incorrect Source IP (proxy server) Bamm Visscher (Oct 25)
- Re: Alerts with the incorrect Source IP (proxy server) Joel Esler (Oct 25)
- Re: Alerts with the incorrect Source IP (proxy server) Jason Haar (Oct 25)