[Snort-users] Proxy woes

Alan Ptak alan.ptak at ...11827...
Tue Nov 17 16:20:30 EST 2009


CP,

I find many IDS/IPS deployments configured as you describe.

As I'm sure you know, X- headers can be (and often are) spoofed. Just  
pointing out the bleedin' obvious. Customers occasionally ask for  
custom rules to alert on a specific X-Forwarded-For address, which  
generally proves effective for a day or two.

Alan

On Nov 17, 2009, at 12:52 PM, CunningPike wrote:

> On Tue, Nov 17, 2009 at 11:52 AM, inetjunkmail  
> <inetjunkmail at ...11827...> wrote:
> We have an proxy server between our users and the Internet.  The  
> proxy server is explicitly configured in their browsers (not  
> transparent).  We'd like to use Snort with both VRT and Emerging  
> rules to help identify bots.  So I see two options:
>
> Put Snort outside proxy servers:
> Pro:  Destination addresses are valid so they can be matched on by  
> Emerging Bot rules
> Con: Internal user's IP is lost unless correlated against proxy logs  
> since all source addresses are the proxy's external address
>
> Put Snort inside proxy servers:
> Pro: See the Internal client's IP address
> Con: All destination addresses are the proxy server since the  
> destination web site is in the payload (not to mention the  
> destination in the payload is likely a URL rather than IP)
>
> Is there any preprocessor or way to look at the traffic inside the  
> proxy request and have the preprocessor pull the destination out and  
> do a DNS lookup to identify the true destination IP before  
> processing the rules?  I understand the DNS overhead likely  
> introduces too much delay; just looking for any possibilities.
>
> We have a setup pretty close to yours - our IDS is downstream of the  
> proxy. If/when we get an alert, we inspect the X-Forwarded-For  
> header to determine the IP address of the host that originated the  
> request.
>
> CP
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008  
> 30-Day
> trial. Simplify your report design, integration and deployment - and  
> focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Alan Ptak
E: alan.ptak at ...11827...







-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091117/cf9d5f2b/attachment.html>


More information about the Snort-users mailing list