[Snort-users] snort and squid
jumper99 at ...348...
Fri Jan 18 04:26:51 EST 2008
From: "Joel Esler" <joel.esler at ...1935...>
> You have two options. Correlate the events with the logs from your Squid
> proxy, or move the Snort sensor inside the proxy.
The second sensor *is* on the proxy.
> Sometimes (and right now I can't remember if Squid does it) it will add a
> header to the http that says "X-Forwarded-For" or similar that
X-Forwared-For is disabled of course. :)
> will have the IP of the actual client. However, like I said, I can't
> remember if Squid does that for you, and that would be the only way that
> you can see the IP behind the proxy.
So, snort (or the current ruleset) is not able to inspect certain squid
traffic? As I replied to Paul, some things are caught (e.g. SHELLCODE x86
NOOP, Invalid FTP Command, and some more) but not the policy or porn
More information about the Snort-users