[Snort-users] Alert on contents of proxy traffic

Gould, Scott scott.gould at ...11473...
Mon Nov 26 11:47:18 EST 2007


Thanks for the prompt reply

Snort version 2.4.5
Proxy runs on port 80

An example rule would be just about any web content.  For example, a
rule that triggers on the outside between the internal proxy server and
external webservers with the following options:

 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Test
Phrase"; content:"test Phrase"; nocase;
flow:to_client,established;...........

Would only trigger on the inside between the internal client and
internal http proxy server, if I remove the flow info:

 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Test
Phrase"; content:"test Phrase"; nocase;
......................................


For testing purposes I have set the $EXTERNAL_NET and $HOME_NET to any.

BTW, there are 2 different snort instances here.  But, other than server
specific settings for some of the preprocessors (servers which are not
involved in this scenario), the configs are the same for testing
purposes.

Scott


 

-----Original Message-----
From: rmkml [mailto:rmkml at ...953...] 
Sent: Monday, November 26, 2007 9:00 AM
To: Gould, Scott
Cc: rmkml at ...953...
Subject: Re: [Snort-users] Alert on contents of proxy traffic

Hi Scott,
what snort version you use please ?
maybe send example (traffic/alert) ?
and send snort.conf ?
what port on your proxy please ? (81 ? 3128 ? 8000 ? 8080 ?) Interesting
think with snort 280 and port var features !
Best Regards
Rmkml


On Mon, 26 Nov 2007, Gould, Scott wrote:

> Date: Mon, 26 Nov 2007 11:29:31 -0500
> From: "Gould, Scott" <scott.gould at ...11473...>
> To: Snort-users at lists.sourceforge.net
> Subject: [Snort-users] Alert on contents of proxy traffic
> 
> Here is the setup:
>
> Snort listening on traffic flowing between internal users and http 
> proxy.  Snort listening on traffic flowing between internal proxy and 
> external web servers.  As anticipated, many rules are triggered on the

> traffic between the internal proxy and the external web servers.  BUT,

> same rules are not triggered on same traffic between the http proxy 
> and the internal users.
>
> What I am trying to achieve is see an alert between the internal http 
> proxy and external webservers, and correlate to an alert on the same 
> traffic, but as it flows between the internal users and the internal 
> http proxy.  For some reason, only the outside traffic is triggering 
> the alert.  To confirm snort and variables are setup correctly for 
> testing so that I should see alerts, I confirmed can trigger rules on 
> ICMP traffic between the internal http proxy and the internal users.
>
> It appears that the proxy is doing something to the traffic as it 
> flows between the internal http proxy and the users, so that is not 
> detected by snort rules.
>
> Any thoughts or suggestions on where to start tinkering?
>
> Thanks in advance,
>
> Scott
>
> Scott Gould
>
> Senior Network & Systems Analyst
> Gynecologic Oncology Group
> Statistical & Data Center
> scott.gould at ...11473...
> 716-845-5702
>
> This email message may contain legally privileged and/or confidential 
> information. If you are not the intended recipient(s), or the employee

> or agent responsible for the delivery of this message to the intended 
> recipient(s), you are hereby notified that any disclosure, copying, 
> distribution, or use of this email message is prohibited. If you have 
> received this message in error, please notify the sender immediately 
> by e-mail and delete this email message from your computer. Thank you.
>
>
> <mailto:'Snort-users at lists.sourceforge.net'>
>
>




More information about the Snort-users mailing list