Re: snort and squid

["Helmut Schneider" <jumper99 () gmx de>]

> Of course Snort will inspect the traffic.  However, to view the internal 
> ip, if the proxy
> is rewriting the Source IP, then it's a limitation.
>
> If your intention is other, please clarify.  I'm afraid I am not sure I 
> understand what
> you are asking then.

It shouldn't matter if I inspect traffic from the proxy to the webserver or 
from the client to the proxy, the content should be the same.

But - I put snort on the proxy and changed HTTP_PORTS to 3128. I use the 
same snort.conf for the external sensor and for the sensor on the proxy.

Now, what happens is, that I hit certain rules (e.g. SHELLCODE x86 NOOP, 
Invalid FTP Command, and some more, so the sensor itself is working fine) 
but I do not hit the porn or policy rules. I can wireshark the traffic from 
the client to the proxy, I see the words 'porn' or 'masturbate' or whatever 
in cleartext but snort does not hit some rules at all.

At the same time the rules for porn or policy *are* hit on the external 
sensor.

So now I wonder why the external sensor hits the rules while the sensor on 
the proxy does not. Althought I use exactly the same snort.conf except of 
HTTP_PORTS.

Hope that clarifies. :)

Helmut 


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users