[Snort-users] snort and squid

Helmut Schneider jumper99 at ...348...
Thu Jan 17 10:17:41 EST 2008


From: "Paul Melson" <pmelson at ...11827...>

>> I'm using snort 2.7 on two machines, one at a hub next to the router
>> and the firewall and since yesterday a second sensor on my proxy
>> (squid). All web-traffic must go through the proxy.
>> The first sensor gives information about e.g. that one uses google
>> desktop but does not say which client (of course, as source is the
>> proxy). So I installed snort as a second sensor on the proxy but
>> without success. The alerts the first sensors finds are not found on
>> the second sensor (the squid protocol might differ from HTTP).
>>
>> Is there a way to configure snort to reveal which exact client "breaks"
>> policies?
>
> Add 3128 to HTTP_PORTS in your snort.conf.  All of your HTTP rules
> will be looking on port 80 and the traffic to thw proxy is on 3128.

Still no luck. I get tons of 'http_inspect', lots of 'icmp' stuff, but no 
single 'porn', 'Google Desktop', ... is caught (while on the external sensor 
it is; and I use the same configuration as on the external sensor and only 
changed EXTERNAL_NET).

var HOME_NET [192.168.0.0/24,192.168.1.0/24,192.168.2.0/24]
var EXTERNAL_NET any
#var EXTERNAL_NET 192.168.1.70/32
[...]
var HTTP_SERVERS $HOME_NET
[...]
var WWW_SERVERS $HOME_NET
[...]
var HTTP_PORTS 3128
[...]
var RULE_PATH /usr/local/etc/snort/rules
[...]
[...]
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: \
    server default \
    apache_whitespace no \
    ascii no \
    bare_byte no \
    chunk_length 500000 \
    flow_depth 1460 \
    directory no \
    double_decode no \
    iis_backslash no \
    iis_delimiter no \
    iis_unicode no \
    multi_slash no \
    non_strict \
    oversize_dir_length 500 \
    ports { 80 2301 3128 8000 8080 8180 8888 } \
    u_encode yes \
    non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
    webroot no
[...]
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
[...] 





More information about the Snort-users mailing list