Snort mailing list archives

Previous By Date Next
Previous By Thread Next

IDS behind a web gateway

From: Nate Hausrath <hausrath.mailing.list () gmail com>
Date: Fri, 2 Apr 2010 16:00:57 -0400
Hello everyone,

We've run into an issue with the way our IDS views traffic after we installed a new web gateway.  The old system was 
essentially transparent, so when a web request was sent from the inside to the outside, it looked like this on the IDS:

10.0.0.1 --> 11.22.33.44:80
10.0.0.1 <-- 11.22.33.44:80

Obviously this makes it easy to determine the inside address of any system that may trigger an alert with Snort, but it 
also allows us to easily research the outside address.  The sensor knows the IP addresses of both.

However, the new system is not transparent, and there are some issues outside my control about making it transparent.  
So in this case, the traffic seen by the IDS looks like this:

10.0.254.254 --> 11.22.33.44:80
10.0.254.254 <-- 11.22.33.44:80

10.0.254.254 is the web gateway.  In this case, we do not see the internal address.  It is certainly possible to go to 
the web gateway and determine the inside address if any signature fires, but this is an extra step and is undesirable.

We could also move the sensor behind the web gateway so it looks like this:

10.0.0.1 --> 10.0.254.254
10.0.0.1 <-- 10.0.254.254

But we are now missing the external address.

Has anyone run into this problem before?  If so, what are some options for solving it?  One idea I had was to read 
traffic from both sides of the gateway and attempt to combine them on the sensor, but I'm not sure how well this would 
work.  There may be a better solution that I have not thought of!

Thanks for any help!
-Nate
------------------------------------------------------------------------------
Download Intel&#174; Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: