[Snort-users] snort and squid

Seth sethsec at ...11827...
Fri Jan 18 13:18:46 EST 2008


Helmut,

Did you also add 3128 to the http_inspect preprocessor?  ie:
http_inspect_server: server default profile all ports {80 3128}


-Seth

On Jan 18, 2008 10:14 AM, Helmut Schneider <jumper99 at ...348...> wrote:
> > Of course Snort will inspect the traffic.  However, to view the internal
> > ip, if the proxy
> > is rewriting the Source IP, then it's a limitation.
> >
> > If your intention is other, please clarify.  I'm afraid I am not sure I
> > understand what
> > you are asking then.
>
> It shouldn't matter if I inspect traffic from the proxy to the webserver or
> from the client to the proxy, the content should be the same.
>
> But - I put snort on the proxy and changed HTTP_PORTS to 3128. I use the
> same snort.conf for the external sensor and for the sensor on the proxy.
>
> Now, what happens is, that I hit certain rules (e.g. SHELLCODE x86 NOOP,
> Invalid FTP Command, and some more, so the sensor itself is working fine)
> but I do not hit the porn or policy rules. I can wireshark the traffic from
> the client to the proxy, I see the words 'porn' or 'masturbate' or whatever
> in cleartext but snort does not hit some rules at all.
>
> At the same time the rules for porn or policy *are* hit on the external
> sensor.
>
> So now I wonder why the external sensor hits the rules while the sensor on
> the proxy does not. Althought I use exactly the same snort.conf except of
> HTTP_PORTS.
>
> Hope that clarifies. :)
>
> Helmut
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>




More information about the Snort-users mailing list