Sensor placement with presence of web proxies

[Martin Holste <mcholste () gmail com>]

Our org is looking at using web proxies without changing settings on
the client.  This can involve using Cisco's WCCP or policy-based
routing to marshal traffic that would normally go to the Internet to a
proxy.  As I understand it, the proxy makes the request, returns the
response to the router, and the router returns the response to the
client.  My question is if anyone has run into problems with a tap or
span on the side of the router closest to the client.  That is, does
the proxy change the traffic enough to interfere?  It seems
nonsensical to put the sensor at the edge of the network since the
requests will have the source IP of the proxy, not the actual client,
but that means that the traffic the IDS inspects will be inauthentic
versus what the remote host on the Internet actually sent.
Theoretically, it should be the same traffic, but I'm wondering if
anyone can confirm that.  I'm especially concerned with appliances
that reorder or normalize HTTP headers, etc.

Thanks,

Martin

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!