Snort mailing list archives
Re: Sensor placement with presence of web proxies
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Thu, 26 Jan 2012 18:52:43 -0500
I have been dealing with proxies and IPS for years now. I have a love-hate relationship with our proxies. They make IPS much harder, but they can block a lot of garbage. Things to think about... General info: 1. Alerts are not generated for things blocked by the proxy if you deploy in-front. Same concept as why we do not deploy sensors in-front of a firewall. 1a. This also means that an infected hosts making requests that are blocked by the proxy are not going to be seen by the IPS. You have to review proxy logs to find this. 2. Caching. In-front you do not see everything actually served to the client because the proxy serves cached content. Explicit: 1. Fewer FP's when deployed in-front. I can tell you that the traffic in-front of the proxy is not the same as the traffic behind the proxy in explicit mode. I have deployed nearly identical sensors in both places at the same time and the FP rate behind the proxy is going to be higher than in-front of it. I honestly can not explain why. If anyone knows what would cause this I would love to know. 2. You have to use the XFF header. This helps but it still sucks, and it doesn't help if the rule is designed to alert on a response or on something not in the original request packet (think bad javascript 3/4 the way through a large pdf). There are also times when the request is large and the XFF header is in the second packet, but the rule fires on the URI. You miss the XFF in these cases. Happens a lot with large cookies being set. 3. A lot of malware is not proxy aware. When it tries to phone home all you will know is that something is banging on the default deny of your firewall. If it does this a lot it is easy to find, if it is quite this is more difficult to find. Reviewing default deny logs is a lot of work. You never know if it is a misconfigured app, malware, or some knuckle head that has configured there home printer in their asset. 4. If you have to exclude external sites from inspection, you can not use a BPF to do this if you are behind the proxy, because the destination is always the proxy. 5. A good thing is it makes stream5 and frag3 easy to configure use the policies that match the proxy, not the end-client. 6. If you use IP reputation based rules, these do not work behind a proxy in explicit mode. In explicit mode you either have to monitor both sides and correlate the alerts, or just pick your poison. I have to be in-front because of the BPF issue. If given a choice I would prefer to be behind the proxy. WCCP: You want the sensor behind the proxy. Snort can handle the GRE tunnel and you will see the true source and destination, IIRC. my $0.02, Wally On Thu, Jan 26, 2012 at 5:02 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com> wrote:
Hi Martin, I have the exact configuration* you are describing, and I have wondered the same thing. I do get alerts for proxy-bound HTTP traffic, so I am fairly comfortable that detection is still working correctly. I think I've even asked the same question on this list with no answers. I'm interested in verifying this as well. *We actually have two scenarios: 1. Explicit proxy configuration. 2. WCCP redirect of 80/443 traffic. Both seem to generate alerts from Snort still. -----Original Message----- From: Martin Holste [mailto:mcholste () gmail com] Sent: Thursday, January 26, 2012 1:54 PM To: <snort-users () lists sourceforge net> Subject: [Snort-users] Sensor placement with presence of web proxies Our org is looking at using web proxies without changing settings on the client. This can involve using Cisco's WCCP or policy-based routing to marshal traffic that would normally go to the Internet to a proxy. As I understand it, the proxy makes the request, returns the response to the router, and the router returns the response to the client. My question is if anyone has run into problems with a tap or span on the side of the router closest to the client. That is, does the proxy change the traffic enough to interfere? It seems nonsensical to put the sensor at the edge of the network since the requests will have the source IP of the proxy, not the actual client, but that means that the traffic the IDS inspects will be inauthentic versus what the remote host on the Internet actually sent. Theoretically, it should be the same traffic, but I'm wondering if anyone can confirm that. I'm especially concerned with appliances that reorder or normalize HTTP headers, etc. Thanks, Martin ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Sensor placement with presence of web proxies Martin Holste (Jan 26)
- Re: Sensor placement with presence of web proxies Jefferson, Shawn (Jan 26)
- Re: Sensor placement with presence of web proxies Joel Esler (Jan 26)
- Re: Sensor placement with presence of web proxies Jefferson, Shawn (Jan 26)
- Re: Sensor placement with presence of web proxies Joel Esler (Jan 26)
- Re: Sensor placement with presence of web proxies Martin Holste (Jan 27)
- Re: Sensor placement with presence of web proxies Joel Esler (Jan 27)
- Re: Sensor placement with presence of web proxies Harvey Chickers (Jan 29)
- Re: Sensor placement with presence of web proxies Joel Esler (Jan 26)
- Re: Sensor placement with presence of web proxies Jefferson, Shawn (Jan 26)
- Re: Sensor placement with presence of web proxies Jason Haar (Jan 26)