[Snort-users] Snort on web servers behind reverse proxies

Tudor Panaitescu TPanaitescu at ...2032...
Thu May 1 22:22:40 EDT 2008



Hi Jason,

Thanks for the information. I took a look at snortunified.pm and I am a
little confused, please keep in mind that I haven't written a line of code
in over 12 years now so it is pretty hard for me to look at the code. Do
you have any hints for me regarding the usage ? I am using barnyard now for
logging to a mysql database + Base, can the software you recommended
replace barnyard ?

Thanks,
Tudor



                                                                           
             Jason                                                         
             <security at ...14353...                                             
             .com>                                                      To 
                                       Tudor Panaitescu                    
             05/01/2008 12:10          <TPanaitescu at ...2032...>          
             PM                                                         cc 
                                       snort-users at lists.sourceforge.net   
                                                                   Subject 
                                       Re: [Snort-users] Snort on web      
                                       servers behind reverse proxies      
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           




you will have to post process it. check out snortunified.pm for a
framework tat makes it easy.

Tudor Panaitescu wrote:
>
> Hi
>
> First of all I did some research and couldn't find anything about this,
so
> no flames please :-)
>
> Here is the story. We have some reverse proxies/application
> accelerators/etc. (let's call them reverse proxies for now) in front of
our
> web site. We don't control these reverse proxies and I am not sure if the
> provider has any IDS capabilities on those. I have snort (2.8.0.2)
> installed on the actual web servers but the only thing that I see in the
> alerts is the IP addresses of the reverse proxies, which is normal. Now,
> the reverse proxies, in their http requests to the web servers, they add
2
> entries in the headers: X-Forwarded-For: <origin's IP address> and
> True-Client-IP: <origin's IP address>. Is it a way to modify the rules to
> alert using  any of these IP addresses instead of the IP address(es) of
the
> reverse proxies ?
>
> Any help/idea would be appreciated.
>
> Thanks and all the best,
> Tudor
>
>
> Visit us at http://www.colorcon.com
>
> NOTICE: This e-mail contains confidential and/or proprietary information,
some or all of which may be legally privileged. It is intended only for the
named recipient. If an addressing or transmission error has misdirected the
e-mail,
> please notify the author by replying to this message. If you are not the
named recipient you must not use, disclose, distribute, copy, print, or
rely on this e-mail, and should immediately delete it from your computer
system.
>
> Thank you. *
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save $100.
> Use priority code J8TL2D2.
>
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



Visit us at http://www.colorcon.com

NOTICE: This e-mail contains confidential and/or proprietary information, some or all of which may be legally privileged. It is intended only for the named recipient. If an addressing or transmission error has misdirected the e-mail,
please notify the author by replying to this message. If you are not the named recipient you must not use, disclose, distribute, copy, print, or rely on this e-mail, and should immediately delete it from your computer system.

Thank you. *




More information about the Snort-users mailing list