Re: Alert on contents of proxy traffic

["Gould, Scott" <scott.gould () gogstats org>]

 Thanks for the info and explanation Will. 


I did a little more testing and thought I would mention what I found in
case it makes any difference.

Turns out the traffic between the internal http proxy and users is
alerted on if I remove ONLY the "established" part of the rule flow
option.  

Also, the proxy is a linux based McAfee SCM appliance that uses the
built-in mozilla/firefox/IE client side proxy settings.  

I also noticed that if I do define a default http_inspect_server config
line, then even with the "established" part of the rule flow option
used, the IDS does NOT alert on the traffic. 

Aka, if I do NOT define a default http_inspect_server config line, AND I
remove the "established" part of the rule flow option, then the traffic
between the internal http proxy and users is alerted on, as I would
like.  Now, I can't really go through all rules and remove the
established portion of the flow section.  I did define some
http_inspect_server config lines for our internal webservers.  

Does any of the above offer any ideas as to what I could tweak other
than every single rule that I want to be alerted on?

Would creating a custom http_inspect_server config line for the internal
http proxy server perhaps allow this traffic to be alerted on?  Any
ideas on what options to use if this is the route to go?



-----Original Message-----
From: Will Metcalf [mailto:william.metcalf () gmail com] 
Sent: Monday, November 26, 2007 12:10 PM
To: Gould, Scott
Cc: Snort-users () lists sourceforge net
Subject: Re: [Snort-users] Alert on contents of proxy traffic

Well first off you are not going to see very much of the payload
returned from an external webserver because of the default flow_depth in
http_inspect.  You can set flow_depth to 0 to see the entire payload at
the expense of deep sixing your IDS.  In addition if you are wrapping
requests inside of a Winsock proxy client (ISA Server) snort may not
fire because it does not know how to decode this protocol.

Regards,

Will

On Nov 26, 2007 10:47 AM, Gould, Scott <scott.gould () gogstats org> wrote:
> Thanks for the prompt reply
>
> Snort version 2.4.5
> Proxy runs on port 80
>
> An example rule would be just about any web content.  For example, a 
> rule that triggers on the outside between the internal proxy server 
> and external webservers with the following options:
>
>  alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Test 
> Phrase"; content:"test Phrase"; nocase; 
> flow:to_client,established;...........
>
> Would only trigger on the inside between the internal client and 
> internal http proxy server, if I remove the flow info:
>
>  alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Test 
> Phrase"; content:"test Phrase"; nocase; 
> ......................................
>
>
> For testing purposes I have set the $EXTERNAL_NET and $HOME_NET to
any.
> BTW, there are 2 different snort instances here.  But, other than 
> server specific settings for some of the preprocessors (servers which 
> are not involved in this scenario), the configs are the same for 
> testing purposes.
>
> Scott
>
>
>
>
> -----Original Message-----
> From: rmkml [mailto:rmkml () free fr]
> Sent: Monday, November 26, 2007 9:00 AM
> To: Gould, Scott
> Cc: rmkml () free fr
> Subject: Re: [Snort-users] Alert on contents of proxy traffic
>
> Hi Scott,
> what snort version you use please ?
> maybe send example (traffic/alert) ?
> and send snort.conf ?
> what port on your proxy please ? (81 ? 3128 ? 8000 ? 8080 ?) 
> Interesting think with snort 280 and port var features !
> Best Regards
> Rmkml
>
>
> On Mon, 26 Nov 2007, Gould, Scott wrote:
>
> > Date: Mon, 26 Nov 2007 11:29:31 -0500
> > From: "Gould, Scott" <scott.gould () gogstats org>
> > To: Snort-users () lists sourceforge net
> > Subject: [Snort-users] Alert on contents of proxy traffic
>
> > Here is the setup:
> >
> > Snort listening on traffic flowing between internal users and http 
> > proxy.  Snort listening on traffic flowing between internal proxy 
> > and external web servers.  As anticipated, many rules are triggered 
> > on the
>
> > traffic between the internal proxy and the external web servers.  
> > BUT,
>
> > same rules are not triggered on same traffic between the http proxy 
> > and the internal users.
> >
> > What I am trying to achieve is see an alert between the internal 
> > http proxy and external webservers, and correlate to an alert on the

> > same traffic, but as it flows between the internal users and the 
> > internal http proxy.  For some reason, only the outside traffic is 
> > triggering the alert.  To confirm snort and variables are setup 
> > correctly for testing so that I should see alerts, I confirmed can 
> > trigger rules on ICMP traffic between the internal http proxy and
the internal users.
> > It appears that the proxy is doing something to the traffic as it 
> > flows between the internal http proxy and the users, so that is not 
> > detected by snort rules.
> >
> > Any thoughts or suggestions on where to start tinkering?
> >
> > Thanks in advance,
> >
> > Scott
> >
> > Scott Gould
> >
> > Senior Network & Systems Analyst
> > Gynecologic Oncology Group
> > Statistical & Data Center
> > scott.gould () gogstats org
> > 716-845-5702
> >
> > This email message may contain legally privileged and/or 
> > confidential information. If you are not the intended recipient(s), 
> > or the employee
>
> > or agent responsible for the delivery of this message to the 
> > intended recipient(s), you are hereby notified that any disclosure, 
> > copying, distribution, or use of this email message is prohibited. 
> > If you have received this message in error, please notify the sender

> > immediately by e-mail and delete this email message from your
computer. Thank you.
> > <mailto:'Snort-users () lists sourceforge net'>
>
> ----------------------------------------------------------------------
> --- This SF.net email is sponsored by: Microsoft Defy all challenges. 
> Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users