Snort mailing list archives
Re: Alerts with the incorrect Source IP (proxy server)
From: Heine Lysemose <lysemose () gmail com>
Date: Thu, 25 Oct 2012 10:57:21 +0000
Hi I have had some of the same issues and still have. Another solution was to use transparent proxy. I'm not able to do this on out TMG server which in a setup as transparent proxy also should be the default gateway which is not the case in our network setup. Could a another solution be, since barnyard is not altering the packets, to have a options in the GUI (Snorby, Squil, Squert) frontends to select weather or not to switch the "Orig IP" with the "XFF IP". This will of course only work if Barnyard2 will start population the XFF/EXTRA DATA into to the database. Maybe this will be part of the new database schema? /Lysemose On Thu, Oct 25, 2012 at 2:33 AM, Eric G <eric () nixwizard net> wrote:
On Oct 24, 2012 2:42 PM, "Jeremy Hoel" <jthoel () gmail com> wrote:Check that out.. learned something new. I don't have that value in myconf either but that's something worth looking at. I didn't know about snort's xff option before Joel mentioned it either, but if it refers to the "X forwarded for" http header as I suspect it does, it might be turned off by default on your proxy appliance... we leave it off at work on our proxies because we'd rather not leak out our internal IP address scheme, and we have other ways of figuring put "who went where when" or "what traffic caused this rule to fire an alert?" At the end of the day, nothing beats good centralized logging and a packet capture appliance :) -- Eric ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Alerts with the incorrect Source IP (proxy server) Turnbough, Bradley E. (Oct 24)
- Re: Alerts with the incorrect Source IP (proxy server) Jeremy Hoel (Oct 24)
- Re: Alerts with the incorrect Source IP (proxy server) Joel Esler (Oct 24)
- Re: Alerts with the incorrect Source IP (proxy server) Turnbough, Bradley E. (Oct 24)
- Re: Alerts with the incorrect Source IP (proxy server) beenph (Oct 24)
- Re: Alerts with the incorrect Source IP (proxy server) Jeremy Hoel (Oct 24)
- Re: Alerts with the incorrect Source IP (proxy server) Eric G (Oct 24)
- Re: Alerts with the incorrect Source IP (proxy server) Heine Lysemose (Oct 25)
- Re: Alerts with the incorrect Source IP (proxy server) beenph (Oct 25)
- Re: Alerts with the incorrect Source IP (proxy server) Heine Lysemose (Oct 25)
- Re: Alerts with the incorrect Source IP (proxy server) Joel Esler (Oct 24)
- Re: Alerts with the incorrect Source IP (proxy server) Jeremy Hoel (Oct 24)
- Re: Alerts with the incorrect Source IP (proxy server) Bamm Visscher (Oct 25)
- Re: Alerts with the incorrect Source IP (proxy server) Joel Esler (Oct 25)
- Re: Alerts with the incorrect Source IP (proxy server) Jason Haar (Oct 25)