Snort mailing list archives
Question: Snort-Alerts do not fire when traffic goes thru proxy
From: Claus Regelmann <rgc () rgc1 inka de>
Date: Thu, 19 Mar 2015 02:31:26 +0100
Hello, my Snort (2.9.7.2) runs on a small linux firewall and listens on the interface connected to the internet (not in-line). On the same machine, a Squid-Proxy is running. I wrote a small local rule:
''alert tcp $HOME_NET any -> any [8080,7779] (msg:"RgC: HIGH RISK possible outbound GEODO URI pattern found";
pcre:"/[^\/]*\/[0-9a-f]{5,8}\//U"; classtype:trojan-activity; sid:1000004; rev:1;)''
HOME_NET is set in snort.conf:
# Setup the network addresses you are protecting
ipvar HOME_NET [10.1.0.0/16,192.168.0.0/16]
The above rule alerts where I run a test without proxying (src 10.1.2.20):
(Event)
sensor id: 0 event id: 11 event second: 1426699327 event microsecond: 60572
sig id: 1000004 gen id: 1 revision: 1 classification: 21
priority: 1 ip source: 10.1.2.20 ip destination: 202.44.54.3
src port: 49170 dest port: 8080 protocol: 6 impact_flag: 0 blocked: 0
Packet
sensor id: 0 event id: 11 event second: 1426699327
packet second: 1426699327 packet microsecond: 60572
linktype: 1 packet_length: 473
[ 0] 9C C7 A6 2F 8C 14 00 22 19 6E 94 17 08 00 45 00 .../...".n....E.
[ 16] 01 CB 01 60 40 00 7F 06 EC 88 0A 01 02 14 CA 2C ...`@..........,
[ 32] 36 03 C0 12 1F 90 64 F3 DA F8 0A 7B D4 EB 50 18 6.....d....{..P.
[ 48] 3E 64 74 38 00 00 50 4F 53 54 20 2F 63 61 61 31 >dt8..POST /caa1
[ 64] 31 62 31 39 2F 32 30 34 32 39 35 31 32 33 34 2F 1b19/2042951234/
[ 80] 20 48 54 54 50 2F 31 2E 31 0D 0A 41 63 63 65 70 HTTP/1.1..Accep
[ 96] 74 3A 20 2A 2F 2A 0D 0A 55 73 65 72 2D 41 67 65 t: */*..User-Age
[ 112] 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20 nt: Mozilla/5.0
[ 128] 28 63 6F 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49 (compatible; MSI
[ 144] 45 20 39 2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E E 9.0; Windows N
[ 160] 54 20 37 2E 31 3B 20 54 72 69 64 65 6E 74 2F 35 T 7.1; Trident/5
[ 176] 2E 30 29 0D 0A 48 6F 73 74 3A 20 32 30 32 2E 34 .0)..Host: 202.4
[ 192] 34 2E 35 34 2E 33 3A 38 30 38 30 0D 0A 43 6F 6E 4.54.3:8080..Con
[ 208] 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 31 39 36 tent-Length: 196
[ 224] 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65 ..Connection: Ke
[ 240] 65 70 2D 41 6C 69 76 65 0D 0A 43 61 63 68 65 2D ep-Alive..Cache-
[ 256] 43 6F 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68 Control: no-cach
[ 272] 65 0D 0A 0D 0A 87 DD 5F 07 05 0D 18 94 46 50 8C e......_.....FP.
[ 288] 55 2E BF 45 6B C5 F8 2B AB DB 07 3C 20 5D B0 EF U..Ek..+...< ]..
[ 304] C5 D6 ED A9 81 71 54 5F 78 27 28 61 BD AF E9 57 .....qT_x'(a...W
[ 320] 60 FA 27 D6 C0 E9 3C 04 7C 5C 81 44 A0 DA 9B E6 `.'...<.|\.D....
[ 336] C2 7F 86 8F C6 00 CB DB 87 54 F0 9D CC D3 69 88 .........T....i.
[ 352] 2D 01 C7 8A EB C8 9D 99 1D 36 FB 09 53 DC 7F 5B -........6..S..[
[ 368] AC 0F 94 25 32 97 12 7F D0 DE 75 B1 22 8B FD 5D ...%2.....u."..]
[ 384] 69 BE 53 E1 E7 89 62 45 02 48 86 AE 36 40 F0 DF i.S...bE.H..6@..
[ 400] DC 30 A7 65 B5 20 C0 5D 2C 86 15 53 8B 25 29 25 .0.e. .],..S.%)%
[ 416] 0E DF FD C0 A0 05 B4 39 57 D5 D9 4E 26 01 71 8F .......9W..N&.q.
[ 432] FA 9F 2C 31 8F D3 C7 3D 55 0A 7D B5 F5 5E FB E0 ..,1...=U.}..^..
[ 448] EC 74 E9 31 24 B3 A9 97 08 06 F1 85 E0 C4 CF B6 .t.1$...........
[ 464] F6 46 DD F7 66 93 F7 58 7D .F..f..X}
When I redirect the traffic through the proxy, the above rule does not fire,
although I see the malware traffic in a tcpdump-capture.
0000 9c c7 a6 2f 8c 14 00 22 19 6e 94 17 08 00 45 00 .../..." .n....E.
0010 01 16 55 b2 40 00 40 06 70 67 c0 a8 b2 f0 ca 2c ..U.@.@. pg.....,
0020 36 03 94 34 1f 90 ba e0 cd 53 82 72 a1 68 80 18 6..4.... .S.r.h..
0030 00 5c 74 d1 00 00 01 01 08 0a 0e 95 98 ff 31 92 .\t..... ......1.
0040 76 d9 50 4f 53 54 20 2f 63 61 61 31 31 62 31 39 v.POST / caa11b19
0050 2f 32 30 34 32 39 35 31 32 33 34 2e 70 68 70 20 /2042951 234.php
0060 48 54 54 50 2f 31 2e 31 0d 0a 41 63 63 65 70 74 HTTP/1.1 ..Accept
0070 3a 20 2a 2f 2a 0d 0a 55 73 65 72 2d 41 67 65 6e : */*..U ser-Agen
0080 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 t: Mozil la/5.0 (
0090 63 6f 6d 70 61 74 69 62 6c 65 3b 20 4d 53 49 45 compatib le; MSIE
00a0 20 39 2e 30 3b 20 57 69 6e 64 6f 77 73 20 4e 54 9.0; Wi ndows NT
00b0 20 37 2e 31 3b 20 54 72 69 64 65 6e 74 2f 35 2e 7.1; Tr ident/5.
00c0 30 29 0d 0a 48 6f 73 74 3a 20 32 30 32 2e 34 34 0)..Host : 202.44
00d0 2e 35 34 2e 33 3a 38 30 38 30 0d 0a 43 6f 6e 74 .54.3:80 80..Cont
00e0 65 6e 74 2d 4c 65 6e 67 74 68 3a 20 31 39 36 0d ent-Leng th: 196.
00f0 0a 43 61 63 68 65 2d 43 6f 6e 74 72 6f 6c 3a 20 .Cache-C ontrol:
0100 6e 6f 2d 63 61 63 68 65 0d 0a 43 6f 6e 6e 65 63 no-cache ..Connec
0110 74 69 6f 6e 3a 20 6b 65 65 70 2d 61 6c 69 76 65 tion: ke ep-alive
0120 0d 0a 0d 0a ....
The source-ip here is 192.168.178.240, the iface addresse to the internet,
and lies within the HOME_NET-range (2nd part).
There are also VRT- and ET-rules which do not fire when the traffic goes
through the proxy.
Can anybody give me a hint what's wrong here.
Thanks
Claus
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Question: Snort-Alerts do not fire when traffic goes thru proxy Claus Regelmann (Mar 18)