[Snort-users] Snort on web servers behind reverse proxies

Joel Esler joel.esler at ...1935...
Thu May 1 11:25:41 EDT 2008

Okay, Let me clarify and you tell me if I am wrong or right.  You want  
to write a Snort rule to detect if your proxies are sending your  
inside ip's out to the internet?  Or are you asking how to modify your  
proxies so that they don't send the IP's at all?


On May 1, 2008, at 10:29 AM, Tudor Panaitescu wrote:

> Hi
> First of all I did some research and couldn't find anything about  
> this, so
> no flames please :-)
> Here is the story. We have some reverse proxies/application
> accelerators/etc. (let's call them reverse proxies for now) in front  
> of our
> web site. We don't control these reverse proxies and I am not sure  
> if the
> provider has any IDS capabilities on those. I have snort (
> installed on the actual web servers but the only thing that I see in  
> the
> alerts is the IP addresses of the reverse proxies, which is normal.  
> Now,
> the reverse proxies, in their http requests to the web servers, they  
> add 2
> entries in the headers: X-Forwarded-For: <origin's IP address> and
> True-Client-IP: <origin's IP address>. Is it a way to modify the  
> rules to
> alert using  any of these IP addresses instead of the IP address(es)  
> of the
> reverse proxies ?
> Any help/idea would be appreciated.
> Thanks and all the best,
> Tudor
> Visit us at http://www.colorcon.com
> NOTICE: This e-mail contains confidential and/or proprietary  
> information, some or all of which may be legally privileged. It is  
> intended only for the named recipient. If an addressing or  
> transmission error has misdirected the e-mail,
> please notify the author by replying to this message. If you are not  
> the named recipient you must not use, disclose, distribute, copy,  
> print, or rely on this e-mail, and should immediately delete it from  
> your computer system.
> Thank you. *
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save  
> $100.
> Use priority code J8TL2D2.
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Joel Esler  joel.esler at ...1935...

More information about the Snort-users mailing list