[Snort-users] snort and squid
jumper99 at ...348...
Fri Jan 18 10:14:09 EST 2008
> Of course Snort will inspect the traffic. However, to view the internal
> ip, if the proxy
> is rewriting the Source IP, then it's a limitation.
> If your intention is other, please clarify. I'm afraid I am not sure I
> understand what
> you are asking then.
It shouldn't matter if I inspect traffic from the proxy to the webserver or
from the client to the proxy, the content should be the same.
But - I put snort on the proxy and changed HTTP_PORTS to 3128. I use the
same snort.conf for the external sensor and for the sensor on the proxy.
Now, what happens is, that I hit certain rules (e.g. SHELLCODE x86 NOOP,
Invalid FTP Command, and some more, so the sensor itself is working fine)
but I do not hit the porn or policy rules. I can wireshark the traffic from
the client to the proxy, I see the words 'porn' or 'masturbate' or whatever
in cleartext but snort does not hit some rules at all.
At the same time the rules for porn or policy *are* hit on the external
So now I wonder why the external sensor hits the rules while the sensor on
the proxy does not. Althought I use exactly the same snort.conf except of
Hope that clarifies. :)
More information about the Snort-users