[Snort-users] Snort on web servers behind reverse proxies

Tudor Panaitescu TPanaitescu at ...2032...
Thu May 1 10:29:10 EDT 2008



Hi

First of all I did some research and couldn't find anything about this, so
no flames please :-)

Here is the story. We have some reverse proxies/application
accelerators/etc. (let's call them reverse proxies for now) in front of our
web site. We don't control these reverse proxies and I am not sure if the
provider has any IDS capabilities on those. I have snort (2.8.0.2)
installed on the actual web servers but the only thing that I see in the
alerts is the IP addresses of the reverse proxies, which is normal. Now,
the reverse proxies, in their http requests to the web servers, they add 2
entries in the headers: X-Forwarded-For: <origin's IP address> and
True-Client-IP: <origin's IP address>. Is it a way to modify the rules to
alert using  any of these IP addresses instead of the IP address(es) of the
reverse proxies ?

Any help/idea would be appreciated.

Thanks and all the best,
Tudor


Visit us at http://www.colorcon.com

NOTICE: This e-mail contains confidential and/or proprietary information, some or all of which may be legally privileged. It is intended only for the named recipient. If an addressing or transmission error has misdirected the e-mail,
please notify the author by replying to this message. If you are not the named recipient you must not use, disclose, distribute, copy, print, or rely on this e-mail, and should immediately delete it from your computer system.

Thank you. *




More information about the Snort-users mailing list