Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Code Red and port 443 (was RE: Code Red HELP!!!!)

From: Mike Johnson <mike () enoch org>
Date: Wed, 8 Aug 2001 11:14:04 -0400
Marsiske Stefan [stefan.marsiske () sysdata siemens hu] wrote:

but in either case, your snort logs will show only your sslproxy (hw/sw) as a
sourceip. you loose the info of the attacking host. right?


Yes, but you should be able to correlate your snort logs with
the logs of the proxy.  Not neccesarily in real time, but you
would only need to do it when snort catches something.

It's a tradeoff, for sure, but the sslproxy would allow you
to at least look into the traffic going to your webserver.

Of course, if you control the proxy, you could probably add
extra HTTP headers that show the original requester.

Mike
-- 
Never trust a man who puts anything other than a finger up his nose. - _Snatch_

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: