[Snort-users] Snort on web servers behind reverse proxies
security at ...5028...
Thu May 1 12:10:57 EDT 2008
you will have to post process it. check out snortunified.pm for a
framework tat makes it easy.
Tudor Panaitescu wrote:
> First of all I did some research and couldn't find anything about this, so
> no flames please :-)
> Here is the story. We have some reverse proxies/application
> accelerators/etc. (let's call them reverse proxies for now) in front of our
> web site. We don't control these reverse proxies and I am not sure if the
> provider has any IDS capabilities on those. I have snort (220.127.116.11)
> installed on the actual web servers but the only thing that I see in the
> alerts is the IP addresses of the reverse proxies, which is normal. Now,
> the reverse proxies, in their http requests to the web servers, they add 2
> entries in the headers: X-Forwarded-For: <origin's IP address> and
> True-Client-IP: <origin's IP address>. Is it a way to modify the rules to
> alert using any of these IP addresses instead of the IP address(es) of the
> reverse proxies ?
> Any help/idea would be appreciated.
> Thanks and all the best,
> Visit us at http://www.colorcon.com
> NOTICE: This e-mail contains confidential and/or proprietary information, some or all of which may be legally privileged. It is intended only for the named recipient. If an addressing or transmission error has misdirected the e-mail,
> please notify the author by replying to this message. If you are not the named recipient you must not use, disclose, distribute, copy, print, or rely on this e-mail, and should immediately delete it from your computer system.
> Thank you. *
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save $100.
> Use priority code J8TL2D2.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users