Re: Application proxy firewall?

[Demetri Mouratis <dmourati () cm math uiuc edu>]

On Thu, 20 Feb 2003, Brian Conte wrote:

> Greetings,
>
> Will snort v1.9 that is watching traffic behind an application proxy
> firewall see the internal interface of the firewall as the SRC or DEST for
> any traffic going through the firewall or is snort capable of finding the
> real IP that the traffic is going to?
>
> If snort is capable of doing this, can someone point me to some
> documentation on this feature?
>
> Thanks,

Brian,

If you think this through, you'll see its virtually impossible for snort
to convert the proxied IP connections to their real equivalents.  Your
best alternative is to use two sensors, one in front of the firewall and
one behind.  In front of the firewall, you can record the real src IP as
well as the destination IP and port.  With that information, and an
effectively configured application proxy firewall, you should be able to
do some correlation with the behind the firewall sensor to put two and two
together.

Hope that helps.
---------------------------------------------------------------------
Demetri Mouratis
dmourati () linfactory com



-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users