Re: x-forwarded-for an IDS capability

["Arian J. Evans" <arian.evans () anachronic com>]

The key here would be defining your HTTP "flow" more clearly (above
the TCP flow level). You may need a specialized state bucket for HTTP,
or at least a token correlation engine. ie- depending on what you are
trying to do and how complex, like correlate this at a *user* level,
you might need:

1. Define session and/or authorization token in HTTP
2. correlate that back to x-forward header, maintain state
3. and then correlate *those* to future actions e.g.-download.

If you are not trying to correlate at user or session level, this
might be much easier, and not really need HTTP state. Define what you
are trying to do and I can give you a better idea of what capabilities
exist today.

Currently most "WAFs" offer capabilities like the above, and many of
them are HTTP IDSes. Your open source WAF being Modsecurity.

Multiple vendors announced "WAFs" stand-alone or in their IDS @ RSA
this year, which should imply they have this ability, including
3COM/Tipping Point, NEC, ISS/IBM, Barracuda, etc. etc.

Snort does not, today, offer this ability. I know of one project
working to build this type of functionality into Snort 2.x as we
speak, and I would be surprised if Snort 3.0 does not provide for this
type of functionality, but that's speculative drivel on my part.


Cheers,


-- 
Arian Evans





On Tue, Apr 28, 2009 at 9:27 PM, James <jimbob.coffey () gmail com> wrote:
> Hi List,
>
> Does anyone know of an IDS vendor/or opensource product that has the
> capability of associating
> an ip address in an x-forwarded-for http header with an IDS event ?
> This includes events that fire on a download as well so there would
> need to be some
> kind of internal http state management.
>
> I notice this request from Jason Haars back in 2004 to the snort
> mailing list but I can't seem to find anything else on this in google
> http://archives.neohapsis.com/archives/snort/2004-06/0235.html
>
> thanks
>
> --
> jac