[Snort-users] snort and squid

Joel Esler joel.esler at ...1935...
Thu Jan 17 10:36:29 EST 2008

You have two options.  Correlate the events with the logs from your  
Squid proxy, or move the Snort sensor inside the proxy.

Sometimes (and right now I can't remember if Squid does it) it will  
add a header to the http that says "X-Forwarded-For" or similar that  
will have the IP of the actual client.  However, like I said, I can't  
remember if Squid does that for you, and that would be the only way  
that you can see the IP behind the proxy.


On Jan 17, 2008, at 5:46 AM, Helmut Schneider wrote:

> Hi,
> I'm using snort 2.7 on two machines, one at a hub next to the router  
> and the
> firewall and since yesterday a second sensor on my proxy (squid). All
> web-traffic must go through the proxy.
> The first sensor gives information about e.g. that one uses google  
> desktop
> but does not say which client (of course, as source is the proxy).  
> So I
> installed snort as a second sensor on the proxy but without success.  
> The
> alerts the first sensors finds are not found on the second sensor  
> (the squid
> protocol might differ from HTTP).
> Is there a way to configure snort to reveal which exact client  
> "breaks"
> policies?
> Thanks, Helmut
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list