Re: snort and squid

["Helmut Schneider" <jumper99 () gmx de>]

From: "Joel Esler" <joel.esler () sourcefire com>

> You have two options.  Correlate the events with the logs from your  Squid 
> proxy, or move the Snort sensor inside the proxy.

The second sensor *is* on the proxy.

> Sometimes (and right now I can't remember if Squid does it) it will  add a 
> header to the http that says "X-Forwarded-For" or similar that

X-Forwared-For is disabled of course. :)

> will have the IP of the actual client.  However, like I said, I can't 
> remember if Squid does that for you, and that would be the only way  that 
> you can see the IP behind the proxy.

So, snort (or the current ruleset) is not able to inspect certain squid 
traffic? As I replied to Paul, some things are caught (e.g. SHELLCODE x86 
NOOP, Invalid FTP Command, and some more) but not the policy or porn 
traffic. 


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users