Snort mailing list archives
Re: Proxy woes
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 17 Nov 2009 17:41:27 -0500
On Tue, Nov 17, 2009 at 4:20 PM, Alan Ptak <alan.ptak () gmail com> wrote:
CP, I find many IDS/IPS deployments configured as you describe. As I'm sure you know, X- headers can be (and often are) spoofed. Just pointing out the bleedin' obvious. Customers occasionally ask for custom rules to alert on a specific X-Forwarded-For address, which generally proves effective for a day or two.
I'd rather put the sensor behind the proxy. That way I can see the internal address. That's more important to me then where they are going. Either way you can look it up, but which one is more important to act on? The internal or the external? Pros and cons. J
Alan On Nov 17, 2009, at 12:52 PM, CunningPike wrote: On Tue, Nov 17, 2009 at 11:52 AM, inetjunkmail <inetjunkmail () gmail com>wrote:We have an proxy server between our users and the Internet. The proxy server is explicitly configured in their browsers (not transparent). We'd like to use Snort with both VRT and Emerging rules to help identify bots. So I see two options: Put Snort outside proxy servers: Pro: Destination addresses are valid so they can be matched on by Emerging Bot rules Con: Internal user's IP is lost unless correlated against proxy logs since all source addresses are the proxy's external address Put Snort inside proxy servers: Pro: See the Internal client's IP address Con: All destination addresses are the proxy server since the destination web site is in the payload (not to mention the destination in the payload is likely a URL rather than IP) Is there any preprocessor or way to look at the traffic inside the proxy request and have the preprocessor pull the destination out and do a DNS lookup to identify the true destination IP before processing the rules? I understand the DNS overhead likely introduces too much delay; just looking for any possibilities. We have a setup pretty close to yours - our IDS is downstream of theproxy. If/when we get an alert, we inspect the X-Forwarded-For header to determine the IP address of the host that originated the request. CP ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- Alan Ptak E: alan.ptak () gmail com ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Joel Esler | 302-223-5974 | gtalk: jesler () sourcefire com
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Proxy woes inetjunkmail (Nov 17)
- Re: Proxy woes CunningPike (Nov 17)
- Re: Proxy woes Alan Ptak (Nov 17)
- Re: Proxy woes Joel Esler (Nov 17)
- Snort Ignores Filenames for alert_unified and log_unified? Eoin Miller (Nov 17)
- Re: Snort Ignores Filenames for alert_unified and log_unified? Eoin Miller (Nov 18)
- Re: Proxy woes Jason Wallace (Nov 17)
- Re: Proxy woes Joel Esler (Nov 17)
- Re: Proxy woes Alan Ptak (Nov 17)
- Re: Proxy woes CunningPike (Nov 17)