[Snort-users] Proxy woes
cunningpike at ...11827...
Tue Nov 17 15:52:55 EST 2009
On Tue, Nov 17, 2009 at 11:52 AM, inetjunkmail <inetjunkmail at ...11827...>wrote:
> We have an proxy server between our users and the Internet. The proxy
> server is explicitly configured in their browsers (not transparent). We'd
> like to use Snort with both VRT and Emerging rules to help identify bots.
> So I see two options:
> Put Snort outside proxy servers:
> Pro: Destination addresses are valid so they can be matched on by Emerging
> Bot rules
> Con: Internal user's IP is lost unless correlated against proxy logs since
> all source addresses are the proxy's external address
> Put Snort inside proxy servers:
> Pro: See the Internal client's IP address
> Con: All destination addresses are the proxy server since the destination
> web site is in the payload (not to mention the destination in the payload is
> likely a URL rather than IP)
> Is there any preprocessor or way to look at the traffic inside the proxy
> request and have the preprocessor pull the destination out and do a DNS
> lookup to identify the true destination IP before processing the rules? I
> understand the DNS overhead likely introduces too much delay; just looking
> for any possibilities.
> We have a setup pretty close to yours - our IDS is downstream of the proxy.
If/when we get an alert, we inspect the X-Forwarded-For header to determine
the IP address of the host that originated the request.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users