Snort mailing list archives
Re: [Emerging-Sigs] Snort Alerts Differences with and without WebProxy
From: Balasubramaniam Natarajan <bala150985 () gmail com>
Date: Mon, 21 May 2012 00:58:23 +0530
Hi I made some more test and I confirm that something is going wrong if I have proxy on, on my clients snort is missing some alerts. *BaseLine without Proxy *When I did not use a webproxy for the client and when I accessed a page where in username and password would be submitted over clear text snort would throw up this alert "ET POLICY Http Client Body contains pass= in cleartext". *Test1: (Running Wireshark On client) *I ran wireshark locally on the client and tried to access the same page where in username and password would be submitted over clear text snort did not throw the alert like previously though I am able to see my username and password on the pcap *Test2: (Running tcpdump On snort #tcpdump -vv -i eth0 -w eth0.pcap **-s 0** ) *I ran tcpdump on the eth0 interface of snort and tried to access the same page where in username and password would be submitted over clear text snort did not throw the alert though I am able to see my username and password on the pcap *Test3: (Running tcpdump On snort #tcpdump -vv -i eth1 -w eth1.pcap** -s 0** ) *I ran tcpdump on the eth1 interface of snort and tried to access the same page where in username and password would be submitted over clear text snort did not throw the alert though I am able to see my username and password on the pcap Attaching screen shot of Test2 and Test3. http://img207.imageshack.us/img207/4480/snortproxy.jpg<http://img440.imageshack.us/img440/4480/snortproxy.jpg> *Note: *I had to add the additional switch of "-s 0" to tcpdump as I was getting this error "[Packet size limited during capture: HTTP truncated]". I am not sure if snort is sharing the same fate of tcpdump and I am not sure how to add the additional switch of "-s 0" to the running instance of snort. @Joel, thanks for showing the right group to address this question to and I did not see any incorrect appearing on the pcap. On Sun, May 20, 2012 at 8:56 PM, Joel Esler <jesler () sourcefire com> wrote:
Probably a better question for the Snort-users mailing list. But yes, the ips may show up differently (for instance the source ip may be that of the proxy). Maybe some checksum errors in there? Do a tcpdump on the interface with the -vv options and see if "incorrect" shows up in the dump. -- Joel Esler On May 20, 2012, at 4:31 AM, Balasubramaniam Natarajan < bala150985 () gmail com> wrote: Hi Should there be any difference with Snort alerts if the internal client are using a webproxy as oppose to those which are not ? I am asking this because I see remarkable difference between the two. *Initial Configuration without Squid WebProxy * Internal Clients (Default Gateway eth1 on snort) ---> (eth1) Snort (eth0) ----> Internet Snort was running on eth1 and it logged lots of alerts *Present Configuration with Squid WebProxy* Internal Client (webproxy to snort:3128 on eth1) ------> (eth1) Snort (eth0) ------> Internet Now Snort is running on eth0 interface and the number of alerts which are logged are way too less. I guess some alerts are somehow missed. -- Regards, Balasubramaniam Natarajan www.etutorshop.com/moodle/ _______________________________________________ Emerging-sigs mailing list Emerging-sigs () lists emergingthreats net http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
-- Regards, Balasubramaniam Natarajan www.etutorshop.com/moodle/
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: [Emerging-Sigs] Snort Alerts Differences with and without WebProxy Joel Esler (May 20)
- Re: [Emerging-Sigs] Snort Alerts Differences with and without WebProxy Balasubramaniam Natarajan (May 20)
- Re: [Emerging-Sigs] Snort Alerts Differences with and without WebProxy Balasubramaniam Natarajan (May 20)
- Re: [Emerging-Sigs] Snort Alerts Differences with and without WebProxy Balasubramaniam Natarajan (May 21)
- Re: [Emerging-Sigs] Snort Alerts Differences with and without WebProxy Russ Combs (May 21)
- Re: [Emerging-Sigs] Snort Alerts Differences with and without WebProxy Balasubramaniam Natarajan (May 29)
- Re: [Emerging-Sigs] Snort Alerts Differences with and without WebProxy Balasubramaniam Natarajan (May 20)
- Re: [Emerging-Sigs] Snort Alerts Differences with and without WebProxy Balasubramaniam Natarajan (May 20)