[Snort-users] Alert on contents of proxy traffic

Will Metcalf william.metcalf at ...11827...
Mon Nov 26 12:10:26 EST 2007


Well first off you are not going to see very much of the payload
returned from an external webserver because of the default flow_depth
in http_inspect.  You can set flow_depth to 0 to see the entire
payload at the expense of deep sixing your IDS.  In addition if you
are wrapping requests inside of a Winsock proxy client (ISA Server)
snort may not fire because it does not know how to decode this
protocol.

Regards,

Will

On Nov 26, 2007 10:47 AM, Gould, Scott <scott.gould at ...11473...> wrote:
> Thanks for the prompt reply
>
> Snort version 2.4.5
> Proxy runs on port 80
>
> An example rule would be just about any web content.  For example, a
> rule that triggers on the outside between the internal proxy server and
> external webservers with the following options:
>
>  alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Test
> Phrase"; content:"test Phrase"; nocase;
> flow:to_client,established;...........
>
> Would only trigger on the inside between the internal client and
> internal http proxy server, if I remove the flow info:
>
>  alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Test
> Phrase"; content:"test Phrase"; nocase;
> ......................................
>
>
> For testing purposes I have set the $EXTERNAL_NET and $HOME_NET to any.
>
> BTW, there are 2 different snort instances here.  But, other than server
> specific settings for some of the preprocessors (servers which are not
> involved in this scenario), the configs are the same for testing
> purposes.
>
> Scott
>
>
>
>
> -----Original Message-----
> From: rmkml [mailto:rmkml at ...953...]
> Sent: Monday, November 26, 2007 9:00 AM
> To: Gould, Scott
> Cc: rmkml at ...953...
> Subject: Re: [Snort-users] Alert on contents of proxy traffic
>
> Hi Scott,
> what snort version you use please ?
> maybe send example (traffic/alert) ?
> and send snort.conf ?
> what port on your proxy please ? (81 ? 3128 ? 8000 ? 8080 ?) Interesting
> think with snort 280 and port var features !
> Best Regards
> Rmkml
>
>
> On Mon, 26 Nov 2007, Gould, Scott wrote:
>
> > Date: Mon, 26 Nov 2007 11:29:31 -0500
> > From: "Gould, Scott" <scott.gould at ...11473...>
> > To: Snort-users at lists.sourceforge.net
> > Subject: [Snort-users] Alert on contents of proxy traffic
>
> >
> > Here is the setup:
> >
> > Snort listening on traffic flowing between internal users and http
> > proxy.  Snort listening on traffic flowing between internal proxy and
> > external web servers.  As anticipated, many rules are triggered on the
>
> > traffic between the internal proxy and the external web servers.  BUT,
>
> > same rules are not triggered on same traffic between the http proxy
> > and the internal users.
> >
> > What I am trying to achieve is see an alert between the internal http
> > proxy and external webservers, and correlate to an alert on the same
> > traffic, but as it flows between the internal users and the internal
> > http proxy.  For some reason, only the outside traffic is triggering
> > the alert.  To confirm snort and variables are setup correctly for
> > testing so that I should see alerts, I confirmed can trigger rules on
> > ICMP traffic between the internal http proxy and the internal users.
> >
> > It appears that the proxy is doing something to the traffic as it
> > flows between the internal http proxy and the users, so that is not
> > detected by snort rules.
> >
> > Any thoughts or suggestions on where to start tinkering?
> >
> > Thanks in advance,
> >
> > Scott
> >
> > Scott Gould
> >
> > Senior Network & Systems Analyst
> > Gynecologic Oncology Group
> > Statistical & Data Center
> > scott.gould at ...11473...
> > 716-845-5702
> >
> > This email message may contain legally privileged and/or confidential
> > information. If you are not the intended recipient(s), or the employee
>
> > or agent responsible for the delivery of this message to the intended
> > recipient(s), you are hereby notified that any disclosure, copying,
> > distribution, or use of this email message is prohibited. If you have
> > received this message in error, please notify the sender immediately
> > by e-mail and delete this email message from your computer. Thank you.
> >
> >
> > <mailto:'Snort-users at lists.sourceforge.net'>
> >
> >
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2005.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list