Snort mailing list archives
Re: Snort on proxy (outbound alerts)
From: Joel Esler <jesler () sourcefire com>
Date: Fri, 18 Jan 2013 14:11:33 -0500
Snort supports the logging of internal IPs if your proxy supports "X-Forwarded-For" or "True-Client-IP" headers: http://manual.snort.org/node255.html (enable_xff) -- Joel Esler Senior Research Engineer, VRT OpenSource Community Manager Sourcefire On Jan 18, 2013, at 1:58 PM, Jason Wallace <jason.r.wallace () gmail com> wrote:
I have a similar situation, a proxy with a single NIC. While my sensor is inline with this NIC, I prefer to only inspect the traffic between the client and the proxy, and not the proxy to outside. This is the BPF I use. (src net 10.0.0.0/8 or src net 192.168.0.0/16 or src net 172.16.0.0/12) and (dst net <proxy #1 IP>/32 or dst net <proxy #2 IP>/32) or (src net <proxy #1 IP>/32 or src net <proxy #2 IP>/32) and (dst net 10.0.0.0/8 or dst net 192.168.0.0/16 or dst net 172.16.0.0/12) Thx, Wally On Fri, Jan 18, 2013 at 12:34 PM, waldo kitty <wkitty42 () windstream net> wrote:On 1/18/2013 06:50, J. H wrote:Hi, Thank you for answering. Only one interface on my proxy machine. SQUID/Snort listenin on the same one.some might consider that to be part of the problem... it sounds like what you want is for snort to be listening only to your internal machines... you might be able to use a bpf to block out alerts concerning your proxy... ------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort on proxy (outbound alerts) Thibaud Raso (Jan 18)
- Re: Snort on proxy (outbound alerts) Balasubramaniam Natarajan (Jan 18)
- Re: Snort on proxy (outbound alerts) J. H (Jan 18)
- Re: Snort on proxy (outbound alerts) Balasubramaniam Natarajan (Jan 18)
- Re: Snort on proxy (outbound alerts) waldo kitty (Jan 18)
- Re: Snort on proxy (outbound alerts) T. R (Jan 18)
- Re: Snort on proxy (outbound alerts) Jason Wallace (Jan 18)
- Re: Snort on proxy (outbound alerts) Jason Wallace (Jan 18)
- Re: Snort on proxy (outbound alerts) Joel Esler (Jan 18)
- Re: Snort on proxy (outbound alerts) Jason Wallace (Jan 18)
- Re: Snort on proxy (outbound alerts) J. H (Jan 18)
- Re: Snort on proxy (outbound alerts) Balasubramaniam Natarajan (Jan 18)