Snort mailing list archives
Re: snort and squid
From: "Helmut Schneider" <jumper99 () gmx de>
Date: Fri, 18 Jan 2008 10:26:51 +0100
From: "Joel Esler" <joel.esler () sourcefire com>
You have two options. Correlate the events with the logs from your Squid proxy, or move the Snort sensor inside the proxy.
The second sensor *is* on the proxy.
Sometimes (and right now I can't remember if Squid does it) it will add a header to the http that says "X-Forwarded-For" or similar that
X-Forwared-For is disabled of course. :)
will have the IP of the actual client. However, like I said, I can't remember if Squid does that for you, and that would be the only way that you can see the IP behind the proxy.
So, snort (or the current ruleset) is not able to inspect certain squid traffic? As I replied to Paul, some things are caught (e.g. SHELLCODE x86 NOOP, Invalid FTP Command, and some more) but not the policy or porn traffic. ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort and squid Helmut Schneider (Jan 17)
- Re: snort and squid Paul Melson (Jan 17)
- Re: snort and squid Helmut Schneider (Jan 17)
- Re: snort and squid Joel Esler (Jan 17)
- Re: snort and squid Helmut Schneider (Jan 18)
- Re: snort and squid Joel Esler (Jan 18)
- Re: snort and squid Helmut Schneider (Jan 18)
- Re: snort and squid Seth (Jan 18)
- Re: snort and squid Helmut Schneider (Jan 18)
- Re: snort and squid Helmut Schneider (Jan 18)
- Re: snort and squid Paul Melson (Jan 17)