Re: Sensor placement with presence of web proxies

[Joel Esler <jesler () sourcefire com>]

I've done both.  I just prefer it closer to the end point.

On Fri, Jan 27, 2012 at 12:36 PM, Martin Holste <mcholste () gmail com> wrote:

> It sounds like there aren't too many show-stoppers for deploying on
> the client-side of the proxy, and we definitely don't have the
> resources to monitor both sides, so I guess that's where we'll end up.
>
> Great stuff--I'm glad I asked!  Thanks all.
>
> On Thu, Jan 26, 2012 at 9:10 PM, Joel Esler <jesler () sourcefire com> wrote:
> > "* enable_xff *
> > This option enables Snort to parse and log the original client IP
> present in
> > the
> > X-Forwarded-For or True-Client-IP HTTP request headers along with the
> > generated
> > events. The XFF/True-Client-IP Original client IP address is logged only
> > with
> > unified2 output and is not logged with console (-A cmg) output.
> >
> > NOTE: The original client IP from XFF/True-Client-IP in unified2 logs
> can be
> > viewed
> > using the tool u2spewfoo. This tool is present in the tools/u2spewfoo
> > directory of
> > snort source tree."
> >
> > README.http_inspect.
> >
> > I don't know what OpenSource GUIs support this field in the unified2 file
> > yet, the only GUI I know that supports it is ours (Sourcefire).
> >  Dustin/Snorby?  Care to chime in here?
> >
> > --
> > Joel Esler
> > Senior Research Engineer, VRT
> > OpenSource Community Manager
> > Sourcefire
> >
> > On Jan 26, 2012, at 6:06 PM, Jefferson, Shawn wrote:
> >
> > Oh, I should also say that I have used the multiple configs feature of
> > snort, and created a config with my proxy server tagged as EXTERNAL_NET.
> >
> > Joel, how does the X-Forwarded-For header logging work?  One issue I
> have is
> > that I see the IP of my proxy as the source of alerts… and have to dig
> into
> > the data to figure out what’s really happening.
> >
> >
> > From: Joel Esler [mailto:jesler () sourcefire com]
> > Sent: Thursday, January 26, 2012 2:15 PM
> > To: Jefferson, Shawn
> > Cc: Martin Holste; <snort-users () lists sourceforge net>
> > Subject: Re: [Snort-users] Sensor placement with presence of web proxies
> >
> > We have the X-Forwarded-For (etc) header logging in Snort to deal with
> just
> > this problem.
> >
> > Saying that, I've seen a sensor deployed in both ways (inside the proxy
> and
> > outside the proxy) inside the proxy (client desktop side) is much
> preferred.
> > Also, saying that, make sure if your proxy does any proxying over some
> > strange port, make sure it's in http_inspect and HTTP_PORTS for now.
> >
> >
> > J
> >
> > On Thu, Jan 26, 2012 at 5:02 PM, Jefferson, Shawn
> > <Shawn.Jefferson () bcferries com> wrote:
> > Hi Martin,
> >
> > I have the exact configuration* you are describing, and I have wondered
> the
> > same thing.  I do get alerts for proxy-bound HTTP traffic, so I am fairly
> > comfortable that detection is still working correctly.  I think I've even
> > asked the same question on this list with no answers.  I'm interested in
> > verifying this as well.
> >
> > *We actually have two scenarios:
> >
> > 1. Explicit proxy configuration.
> > 2. WCCP redirect of 80/443 traffic.
> >
> > Both seem to generate alerts from Snort still.
> >
> >
> > -----Original Message-----
> > From: Martin Holste [mailto:mcholste () gmail com]
> > Sent: Thursday, January 26, 2012 1:54 PM
> > To: <snort-users () lists sourceforge net>
> > Subject: [Snort-users] Sensor placement with presence of web proxies
> >
> > Our org is looking at using web proxies without changing settings on the
> > client.  This can involve using Cisco's WCCP or policy-based routing to
> > marshal traffic that would normally go to the Internet to a proxy.  As I
> > understand it, the proxy makes the request, returns the response to the
> > router, and the router returns the response to the client.  My question
> is
> > if anyone has run into problems with a tap or span on the side of the
> router
> > closest to the client.  That is, does the proxy change the traffic
> enough to
> > interfere?  It seems nonsensical to put the sensor at the edge of the
> > network since the requests will have the source IP of the proxy, not the
> > actual client, but that means that the traffic the IDS inspects will be
> > inauthentic versus what the remote host on the Internet actually sent.
> > Theoretically, it should be the same traffic, but I'm wondering if anyone
> > can confirm that.  I'm especially concerned with appliances that reorder
> or
> > normalize HTTP headers, etc.
> >
> > Thanks,
> >
> > Martin
> ------------------------------------------------------------------------------
> > Keep Your Developer Skills Current with LearnDevNow!
> > The most comprehensive online learning library for Microsoft developers
> is
> > just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro
> > Style Apps, more. Free future releases when you subscribe now!
> > http://p.sf.net/sfu/learndevnow-d2d
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > news!
> ------------------------------------------------------------------------------
> > Keep Your Developer Skills Current with LearnDevNow!
> > The most comprehensive online learning library for Microsoft developers
> > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> > Metro Style Apps, more. Free future releases when you subscribe now!
> > http://p.sf.net/sfu/learndevnow-d2d
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> Snort
> > news!
> >
> >
> >
> >
> > --
> > Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
> > http://blog.clamav.net
> > Twitter:  http://twitter.com/snort



-- 
Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org |
http://blog.clamav.net
Twitter:  http://twitter.com/snort

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!