Re: Sensor placement with presence of web proxies

["Jefferson, Shawn" <Shawn.Jefferson () bcferries com>]

Oh, I should also say that I have used the multiple configs feature of snort, and created a config with my proxy server 
tagged as EXTERNAL_NET.

Joel, how does the X-Forwarded-For header logging work?  One issue I have is that I see the IP of my proxy as the 
source of alerts... and have to dig into the data to figure out what's really happening.


From: Joel Esler [mailto:jesler () sourcefire com]
Sent: Thursday, January 26, 2012 2:15 PM
To: Jefferson, Shawn
Cc: Martin Holste; <snort-users () lists sourceforge net>
Subject: Re: [Snort-users] Sensor placement with presence of web proxies

We have the X-Forwarded-For (etc) header logging in Snort to deal with just this problem.

Saying that, I've seen a sensor deployed in both ways (inside the proxy and outside the proxy) inside the proxy (client 
desktop side) is much preferred.

Also, saying that, make sure if your proxy does any proxying over some strange port, make sure it's in http_inspect and 
HTTP_PORTS for now.

J
On Thu, Jan 26, 2012 at 5:02 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com<mailto:Shawn.Jefferson () bcferries 
com>> wrote:
Hi Martin,

I have the exact configuration* you are describing, and I have wondered the same thing.  I do get alerts for 
proxy-bound HTTP traffic, so I am fairly comfortable that detection is still working correctly.  I think I've even 
asked the same question on this list with no answers.  I'm interested in verifying this as well.

*We actually have two scenarios:

1. Explicit proxy configuration.
2. WCCP redirect of 80/443 traffic.

Both seem to generate alerts from Snort still.


-----Original Message-----
From: Martin Holste [mailto:mcholste () gmail com<mailto:mcholste () gmail com>]
Sent: Thursday, January 26, 2012 1:54 PM
To: <snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net>>
Subject: [Snort-users] Sensor placement with presence of web proxies

Our org is looking at using web proxies without changing settings on the client.  This can involve using Cisco's WCCP 
or policy-based routing to marshal traffic that would normally go to the Internet to a proxy.  As I understand it, the 
proxy makes the request, returns the response to the router, and the router returns the response to the client.  My 
question is if anyone has run into problems with a tap or span on the side of the router closest to the client.  That 
is, does the proxy change the traffic enough to interfere?  It seems nonsensical to put the sensor at the edge of the 
network since the requests will have the source IP of the proxy, not the actual client, but that means that the traffic 
the IDS inspects will be inauthentic versus what the remote host on the Internet actually sent.
Theoretically, it should be the same traffic, but I'm wondering if anyone can confirm that.  I'm especially concerned 
with appliances that reorder or normalize HTTP headers, etc.

Thanks,

Martin

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL 
- plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!



--
Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
http://blog.clamav.net
Twitter:  http://twitter.com/snort

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!