Snort mailing list archives
Re: Alerts with the incorrect Source IP (proxy server)
From: Jason Haar <Jason_Haar () trimble com>
Date: Fri, 26 Oct 2012 12:16:53 +1300
On 26/10/12 00:56, Bamm Visscher wrote:
Brad - You can move the sensor outside the proxy and then you will get the external website IP address, but you may have to re-architect your proxy (turn on x-forwarded-for or use a transparent proxy) to be able to identify the internal source of the acty. Another option would be to add another sensor and sandwich the proxy between the two sensors.
That won't work because even with a transparent proxy, the tcp stream leading away from the proxy has the *proxy's* IP address - not the client. What would be needed to make snort correctly make the proxy "disappear" from data is: A: NIDS in front of LAN side of transparent proxy 1. snort will see true client address 2. snort will see IP address of end server 3. Profit! B: NIDS in front of LAN side of traditional, non-transparent proxy 1. snort will see true client address 2. snort will see IP address of proxy. To fix, snort would need to have new feature whereby it tracks the "Host:" header used by an outbound proxy request and use that DNS name to resolve to an IP (gah - won't work with servers with multiple IPs!!!) so that the outbound and return traffic could be associated with that "forged" server IP instead of the proxy C: NIDS in front of WAN/Internet side of transparent OR non-transparent proxy 1. snort will see IP of proxy, so will need to rely on proxy administrator slightly lowering their privacy options by enabling X-Forwarded-For on outbound 2. snort will see the IP address of the end server 3. Profit! I would recommend doing "A" or "C" - in that order. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_sfd2d_oct _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Re: Alerts with the incorrect Source IP (proxy server), (continued)
- Re: Alerts with the incorrect Source IP (proxy server) Joel Esler (Oct 24)
- Re: Alerts with the incorrect Source IP (proxy server) Turnbough, Bradley E. (Oct 24)
- Re: Alerts with the incorrect Source IP (proxy server) beenph (Oct 24)
- Re: Alerts with the incorrect Source IP (proxy server) Jeremy Hoel (Oct 24)
- Re: Alerts with the incorrect Source IP (proxy server) Eric G (Oct 24)
- Re: Alerts with the incorrect Source IP (proxy server) Heine Lysemose (Oct 25)
- Re: Alerts with the incorrect Source IP (proxy server) beenph (Oct 25)
- Re: Alerts with the incorrect Source IP (proxy server) Heine Lysemose (Oct 25)
- Re: Alerts with the incorrect Source IP (proxy server) Joel Esler (Oct 24)
- Re: Alerts with the incorrect Source IP (proxy server) Bamm Visscher (Oct 25)
- Re: Alerts with the incorrect Source IP (proxy server) Joel Esler (Oct 25)
- Re: Alerts with the incorrect Source IP (proxy server) Jason Haar (Oct 25)