[Snort-users] Alert on contents of proxy traffic

Gould, Scott scott.gould at ...11473...
Mon Nov 26 11:29:31 EST 2007


Here is the setup:
 
Snort listening on traffic flowing between internal users and http
proxy.  Snort listening on traffic flowing between internal proxy and
external web servers.  As anticipated, many rules are triggered on the
traffic between the internal proxy and the external web servers.  BUT,
same rules are not triggered on same traffic between the http proxy and
the internal users.
 
What I am trying to achieve is see an alert between the internal http
proxy and external webservers, and correlate to an alert on the same
traffic, but as it flows between the internal users and the internal
http proxy.  For some reason, only the outside traffic is triggering the
alert.  To confirm snort and variables are setup correctly for testing
so that I should see alerts, I confirmed can trigger rules on ICMP
traffic between the internal http proxy and the internal users.
 
It appears that the proxy is doing something to the traffic as it flows
between the internal http proxy and the users, so that is not detected
by snort rules.  
 
Any thoughts or suggestions on where to start tinkering?
 
Thanks in advance,

Scott
 
Scott Gould

Senior Network & Systems Analyst
Gynecologic Oncology Group
Statistical & Data Center
scott.gould at ...11473...
716-845-5702

This email message may contain legally privileged and/or confidential
information. If you are not the intended recipient(s), or the employee
or agent responsible for the delivery of this message to the intended
recipient(s), you are hereby notified that any disclosure, copying,
distribution, or use of this email message is prohibited. If you have
received this message in error, please notify the sender immediately by
e-mail and delete this email message from your computer. Thank you.

 
<mailto:'Snort-users at lists.sourceforge.net'>  
 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20071126/8d7406e2/attachment.html>


More information about the Snort-users mailing list