[Snort-users] Proxy woes

CunningPike cunningpike at ...11827...
Tue Nov 17 15:52:55 EST 2009


On Tue, Nov 17, 2009 at 11:52 AM, inetjunkmail <inetjunkmail at ...11827...>wrote:

> We have an proxy server between our users and the Internet.  The proxy
> server is explicitly configured in their browsers (not transparent).  We'd
> like to use Snort with both VRT and Emerging rules to help identify bots.
> So I see two options:
>
> Put Snort outside proxy servers:
> Pro:  Destination addresses are valid so they can be matched on by Emerging
> Bot rules
> Con: Internal user's IP is lost unless correlated against proxy logs since
> all source addresses are the proxy's external address
>
> Put Snort inside proxy servers:
> Pro: See the Internal client's IP address
> Con: All destination addresses are the proxy server since the destination
> web site is in the payload (not to mention the destination in the payload is
> likely a URL rather than IP)
>
> Is there any preprocessor or way to look at the traffic inside the proxy
> request and have the preprocessor pull the destination out and do a DNS
> lookup to identify the true destination IP before processing the rules?  I
> understand the DNS overhead likely introduces too much delay; just looking
> for any possibilities.
>
> We have a setup pretty close to yours - our IDS is downstream of the proxy.
If/when we get an alert, we inspect the X-Forwarded-For header to determine
the IP address of the host that originated the request.

CP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091117/a75a59ac/attachment.html>


More information about the Snort-users mailing list