[Snort-users] Proxy woes

inetjunkmail inetjunkmail at ...11827...
Tue Nov 17 14:52:11 EST 2009


We have an proxy server between our users and the Internet.  The proxy
server is explicitly configured in their browsers (not transparent).  We'd
like to use Snort with both VRT and Emerging rules to help identify bots.
So I see two options:

Put Snort outside proxy servers:
Pro:  Destination addresses are valid so they can be matched on by Emerging
Bot rules
Con: Internal user's IP is lost unless correlated against proxy logs since
all source addresses are the proxy's external address

Put Snort inside proxy servers:
Pro: See the Internal client's IP address
Con: All destination addresses are the proxy server since the destination
web site is in the payload (not to mention the destination in the payload is
likely a URL rather than IP)

Is there any preprocessor or way to look at the traffic inside the proxy
request and have the preprocessor pull the destination out and do a DNS
lookup to identify the true destination IP before processing the rules?  I
understand the DNS overhead likely introduces too much delay; just looking
for any possibilities.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091117/9f7299f3/attachment.html>


More information about the Snort-users mailing list