[Snort-users] snort and squid

Joel Esler joel.esler at ...1935...
Fri Jan 18 09:09:21 EST 2008

Of course Snort will inspect the traffic.  However, to view the  
internal ip, if the proxy is rewriting the Source IP, then it's a  

If your intention is other, please clarify.  I'm afraid I am not sure  
I understand what you are asking then.


On Jan 18, 2008, at 4:26 AM, Helmut Schneider wrote:

> From: "Joel Esler" <joel.esler at ...1935...>
>> You have two options.  Correlate the events with the logs from  
>> your  Squid
>> proxy, or move the Snort sensor inside the proxy.
> The second sensor *is* on the proxy.
>> Sometimes (and right now I can't remember if Squid does it) it  
>> will  add a
>> header to the http that says "X-Forwarded-For" or similar that
> X-Forwared-For is disabled of course. :)
>> will have the IP of the actual client.  However, like I said, I can't
>> remember if Squid does that for you, and that would be the only  
>> way  that
>> you can see the IP behind the proxy.
> So, snort (or the current ruleset) is not able to inspect certain  
> squid
> traffic? As I replied to Paul, some things are caught (e.g.  
> NOOP, Invalid FTP Command, and some more) but not the policy or porn
> traffic.
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20080118/e655e9c3/attachment.html>

More information about the Snort-users mailing list