[Snort-users] snort and squid

Helmut Schneider jumper99 at ...348...
Fri Jan 18 10:14:09 EST 2008


> Of course Snort will inspect the traffic.  However, to view the internal 
> ip, if the proxy
> is rewriting the Source IP, then it's a limitation.
>
> If your intention is other, please clarify.  I'm afraid I am not sure I 
> understand what
> you are asking then.

It shouldn't matter if I inspect traffic from the proxy to the webserver or 
from the client to the proxy, the content should be the same.

But - I put snort on the proxy and changed HTTP_PORTS to 3128. I use the 
same snort.conf for the external sensor and for the sensor on the proxy.

Now, what happens is, that I hit certain rules (e.g. SHELLCODE x86 NOOP, 
Invalid FTP Command, and some more, so the sensor itself is working fine) 
but I do not hit the porn or policy rules. I can wireshark the traffic from 
the client to the proxy, I see the words 'porn' or 'masturbate' or whatever 
in cleartext but snort does not hit some rules at all.

At the same time the rules for porn or policy *are* hit on the external 
sensor.

So now I wonder why the external sensor hits the rules while the sensor on 
the proxy does not. Althought I use exactly the same snort.conf except of 
HTTP_PORTS.

Hope that clarifies. :)

Helmut 





More information about the Snort-users mailing list