Re: Sensor placement with presence of web proxies

[Jason Wallace <jason.r.wallace () gmail com>]

I have been dealing with proxies and IPS for years now. I have a
love-hate relationship with our proxies. They make IPS much harder,
but they can block a lot of garbage.

Things to think about...

General info:
1. Alerts are not generated for things blocked by the proxy if you
deploy in-front. Same concept as why we do not deploy sensors in-front
of a firewall.
1a. This also means that an infected hosts making requests that are
blocked by the proxy are not going to be seen by the IPS. You have to
review proxy logs to find this.
2. Caching. In-front you do not see everything actually served to the
client because the proxy serves cached content.

Explicit:
1. Fewer FP's when deployed in-front. I can tell you that the traffic
in-front of the proxy is not the same as the traffic behind the proxy
in explicit mode. I have deployed nearly identical sensors in both
places at the same time and the FP rate behind the proxy is going to
be higher than in-front of it. I honestly can not explain why. If
anyone knows what would cause this I would love to know.

2. You have to use the XFF header. This helps but it still sucks, and
it doesn't help if the rule is designed to alert on a response or on
something not in the original request packet (think bad javascript 3/4
the way through a large pdf). There are also times when the request is
large and the XFF header is in the second packet, but the rule fires
on the URI. You miss the XFF in these cases. Happens a lot with large
cookies being set.

3. A lot of malware is not proxy aware. When it tries to phone home
all you will know is that something is banging on the default deny of
your firewall. If it does this a lot it is easy to find, if it is
quite this is more difficult to find. Reviewing default deny logs is a
lot of work. You never know if it is a misconfigured app, malware, or
some knuckle head that has configured there home printer in their
asset.

4. If you have to exclude external sites from inspection, you can not
use a BPF to do this if you are behind the proxy, because the
destination is always the proxy.

5. A good thing is it makes stream5 and frag3 easy to configure use
the policies that match the proxy, not the end-client.

6. If you use IP reputation based rules, these do not work behind a
proxy in explicit mode.

In explicit mode you either have to monitor both sides and correlate
the alerts, or just pick your poison. I have to be in-front because of
the BPF issue. If given a choice I would prefer to be behind the
proxy.

WCCP:

You want the sensor behind the proxy. Snort can handle the GRE tunnel
and you will see the true source and destination, IIRC.

my $0.02,
Wally

On Thu, Jan 26, 2012 at 5:02 PM, Jefferson, Shawn
<Shawn.Jefferson () bcferries com> wrote:
> Hi Martin,
>
> I have the exact configuration* you are describing, and I have wondered the same thing.  I do get alerts for 
> proxy-bound HTTP traffic, so I am fairly comfortable that detection is still working correctly.  I think I've even 
> asked the same question on this list with no answers.  I'm interested in verifying this as well.
>
> *We actually have two scenarios:
>
> 1. Explicit proxy configuration.
> 2. WCCP redirect of 80/443 traffic.
>
> Both seem to generate alerts from Snort still.
>
>
> -----Original Message-----
> From: Martin Holste [mailto:mcholste () gmail com]
> Sent: Thursday, January 26, 2012 1:54 PM
> To: <snort-users () lists sourceforge net>
> Subject: [Snort-users] Sensor placement with presence of web proxies
>
> Our org is looking at using web proxies without changing settings on the client.  This can involve using Cisco's WCCP 
> or policy-based routing to marshal traffic that would normally go to the Internet to a proxy.  As I understand it, 
> the proxy makes the request, returns the response to the router, and the router returns the response to the client.  
> My question is if anyone has run into problems with a tap or span on the side of the router closest to the client.  
> That is, does the proxy change the traffic enough to interfere?  It seems nonsensical to put the sensor at the edge 
> of the network since the requests will have the source IP of the proxy, not the actual client, but that means that 
> the traffic the IDS inspects will be inauthentic versus what the remote host on the Internet actually sent.
> Theoretically, it should be the same traffic, but I'm wondering if anyone can confirm that.  I'm especially concerned 
> with appliances that reorder or normalize HTTP headers, etc.
>
> Thanks,
>
> Martin
>
> ------------------------------------------------------------------------------
> Keep Your Developer Skills Current with LearnDevNow!
> The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, 
> SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> ------------------------------------------------------------------------------
> Keep Your Developer Skills Current with LearnDevNow!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

------------------------------------------------------------------------------
Keep Your Developer Skills Current with LearnDevNow!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-d2d
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!