Snort mailing list archives
Re: Sensor placement with presence of web proxies
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 27 Jan 2012 12:47:44 -0500
I've done both. I just prefer it closer to the end point. On Fri, Jan 27, 2012 at 12:36 PM, Martin Holste <mcholste () gmail com> wrote:
It sounds like there aren't too many show-stoppers for deploying on the client-side of the proxy, and we definitely don't have the resources to monitor both sides, so I guess that's where we'll end up. Great stuff--I'm glad I asked! Thanks all. On Thu, Jan 26, 2012 at 9:10 PM, Joel Esler <jesler () sourcefire com> wrote:"* enable_xff * This option enables Snort to parse and log the original client IPpresent inthe X-Forwarded-For or True-Client-IP HTTP request headers along with the generated events. The XFF/True-Client-IP Original client IP address is logged only with unified2 output and is not logged with console (-A cmg) output. NOTE: The original client IP from XFF/True-Client-IP in unified2 logscan beviewed using the tool u2spewfoo. This tool is present in the tools/u2spewfoo directory of snort source tree." README.http_inspect. I don't know what OpenSource GUIs support this field in the unified2 file yet, the only GUI I know that supports it is ours (Sourcefire). Dustin/Snorby? Care to chime in here? -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Jan 26, 2012, at 6:06 PM, Jefferson, Shawn wrote: Oh, I should also say that I have used the multiple configs feature of snort, and created a config with my proxy server tagged as EXTERNAL_NET. Joel, how does the X-Forwarded-For header logging work? One issue Ihave isthat I see the IP of my proxy as the source of alerts… and have to digintothe data to figure out what’s really happening. From: Joel Esler [mailto:jesler () sourcefire com] Sent: Thursday, January 26, 2012 2:15 PM To: Jefferson, Shawn Cc: Martin Holste; <snort-users () lists sourceforge net> Subject: Re: [Snort-users] Sensor placement with presence of web proxies We have the X-Forwarded-For (etc) header logging in Snort to deal withjustthis problem. Saying that, I've seen a sensor deployed in both ways (inside the proxyandoutside the proxy) inside the proxy (client desktop side) is muchpreferred.Also, saying that, make sure if your proxy does any proxying over some strange port, make sure it's in http_inspect and HTTP_PORTS for now. J On Thu, Jan 26, 2012 at 5:02 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com> wrote: Hi Martin, I have the exact configuration* you are describing, and I have wonderedthesame thing. I do get alerts for proxy-bound HTTP traffic, so I am fairly comfortable that detection is still working correctly. I think I've even asked the same question on this list with no answers. I'm interested in verifying this as well. *We actually have two scenarios: 1. Explicit proxy configuration. 2. WCCP redirect of 80/443 traffic. Both seem to generate alerts from Snort still. -----Original Message----- From: Martin Holste [mailto:mcholste () gmail com] Sent: Thursday, January 26, 2012 1:54 PM To: <snort-users () lists sourceforge net> Subject: [Snort-users] Sensor placement with presence of web proxies Our org is looking at using web proxies without changing settings on the client. This can involve using Cisco's WCCP or policy-based routing to marshal traffic that would normally go to the Internet to a proxy. As I understand it, the proxy makes the request, returns the response to the router, and the router returns the response to the client. My questionisif anyone has run into problems with a tap or span on the side of therouterclosest to the client. That is, does the proxy change the trafficenough tointerfere? It seems nonsensical to put the sensor at the edge of the network since the requests will have the source IP of the proxy, not the actual client, but that means that the traffic the IDS inspects will be inauthentic versus what the remote host on the Internet actually sent. Theoretically, it should be the same traffic, but I'm wondering if anyone can confirm that. I'm especially concerned with appliances that reorderornormalize HTTP headers, etc. Thanks, Martin------------------------------------------------------------------------------Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developersisjust $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,MetroStyle Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latestSnortnews!------------------------------------------------------------------------------Keep Your Developer Skills Current with LearnDevNow! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-d2d _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latestSnortnews! -- Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org | http://blog.clamav.net Twitter: http://twitter.com/snort
-- Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org | http://blog.clamav.net Twitter: http://twitter.com/snort
------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Sensor placement with presence of web proxies Martin Holste (Jan 26)
- Re: Sensor placement with presence of web proxies Jefferson, Shawn (Jan 26)
- Re: Sensor placement with presence of web proxies Joel Esler (Jan 26)
- Re: Sensor placement with presence of web proxies Jefferson, Shawn (Jan 26)
- Re: Sensor placement with presence of web proxies Joel Esler (Jan 26)
- Re: Sensor placement with presence of web proxies Martin Holste (Jan 27)
- Re: Sensor placement with presence of web proxies Joel Esler (Jan 27)
- Re: Sensor placement with presence of web proxies Harvey Chickers (Jan 29)
- Re: Sensor placement with presence of web proxies Joel Esler (Jan 26)
- Re: Sensor placement with presence of web proxies Jefferson, Shawn (Jan 26)
- Re: Sensor placement with presence of web proxies Jason Haar (Jan 26)