Re: Snort on proxy (outbound alerts)

[Jason Wallace <jason.r.wallace () gmail com>]

It does, but it is a pain in the ass to use most of the time because:
1) it isn't well supported by front ends or by SIEMs and 2) any checks
on cached content result in XFF being set to 127.0.0.1.

On Fri, Jan 18, 2013 at 2:11 PM, Joel Esler <jesler () sourcefire com> wrote:
> Snort supports the logging of internal IPs if your proxy supports
> "X-Forwarded-For" or "True-Client-IP" headers:
>
> http://manual.snort.org/node255.html
>
> (enable_xff)
>
>
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire
>
> On Jan 18, 2013, at 1:58 PM, Jason Wallace <jason.r.wallace () gmail com>
> wrote:
>
> I have a similar situation, a proxy with a single NIC. While my sensor
> is inline with this NIC, I prefer to only inspect the traffic between
> the client and the proxy, and not the proxy to outside. This is the
> BPF I use.
>
> (src net 10.0.0.0/8 or src net 192.168.0.0/16 or src net
> 172.16.0.0/12) and (dst net <proxy #1 IP>/32 or dst net <proxy #2
> IP>/32) or (src net <proxy #1 IP>/32 or src net <proxy #2 IP>/32) and
> (dst net 10.0.0.0/8 or dst net 192.168.0.0/16 or dst net
> 172.16.0.0/12)
>
> Thx,
> Wally
>
> On Fri, Jan 18, 2013 at 12:34 PM, waldo kitty <wkitty42 () windstream net>
> wrote:
>
> On 1/18/2013 06:50, J. H wrote:
>
> Hi,
>
> Thank you for answering.
>
> Only one interface on my proxy machine.
>
> SQUID/Snort listenin on the same one.
>
>
> some might consider that to be part of the problem... it sounds like what
> you
> want is for snort to be listening only to your internal machines... you
> might be
> able to use a bpf to block out alerts concerning your proxy...
>
>
>
> ------------------------------------------------------------------------------
> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
> much more. Get web development skills now with LearnDevNow -
> 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
> SALE $99.99 this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122812
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!
>
>
> ------------------------------------------------------------------------------
> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
> much more. Get web development skills now with LearnDevNow -
> 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
> SALE $99.99 this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122812
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!

------------------------------------------------------------------------------
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!