[Snort-users] snort and squid

Helmut Schneider jumper99 at ...348...
Fri Jan 18 04:26:51 EST 2008

From: "Joel Esler" <joel.esler at ...1935...>

> You have two options.  Correlate the events with the logs from your  Squid 
> proxy, or move the Snort sensor inside the proxy.

The second sensor *is* on the proxy.

> Sometimes (and right now I can't remember if Squid does it) it will  add a 
> header to the http that says "X-Forwarded-For" or similar that

X-Forwared-For is disabled of course. :)

> will have the IP of the actual client.  However, like I said, I can't 
> remember if Squid does that for you, and that would be the only way  that 
> you can see the IP behind the proxy.

So, snort (or the current ruleset) is not able to inspect certain squid 
traffic? As I replied to Paul, some things are caught (e.g. SHELLCODE x86 
NOOP, Invalid FTP Command, and some more) but not the policy or porn 

More information about the Snort-users mailing list