[Snort-users] Proxy woes

Jason Wallace jason.r.wallace at ...11827...
Tue Nov 17 16:46:18 EST 2009

I'm getting ready to deploy in the same fashion. The X-Forwarded-For
header will work but it will be a PIA digging into every alert to find
it and will make reporting on the number of hosts affected with a
particular bot (or whatever else) pretty difficult. There might be a
good idea for a proxy preprocessor in here somewhere to make tracking
this easier.

on that note...

We currently do not have X-Forwarded-For turned on on our proxy. Is
any one else concerned that it provide internal IP information to
whatever the proxy is forwarding the request to? I guess if the client
has something malicious on it whatever it is will already know what
the internal IP is and could pass that on if it could make use of
it... moot point?

On Tue, Nov 17, 2009 at 3:52 PM, CunningPike <cunningpike at ...11827...> wrote:
> On Tue, Nov 17, 2009 at 11:52 AM, inetjunkmail <inetjunkmail at ...11827...>
> wrote:
>> We have an proxy server between our users and the Internet.  The proxy
>> server is explicitly configured in their browsers (not transparent).  We'd
>> like to use Snort with both VRT and Emerging rules to help identify bots.
>> So I see two options:
>> Put Snort outside proxy servers:
>> Pro:  Destination addresses are valid so they can be matched on by
>> Emerging Bot rules
>> Con: Internal user's IP is lost unless correlated against proxy logs since
>> all source addresses are the proxy's external address
>> Put Snort inside proxy servers:
>> Pro: See the Internal client's IP address
>> Con: All destination addresses are the proxy server since the destination
>> web site is in the payload (not to mention the destination in the payload is
>> likely a URL rather than IP)
>> Is there any preprocessor or way to look at the traffic inside the proxy
>> request and have the preprocessor pull the destination out and do a DNS
>> lookup to identify the true destination IP before processing the rules?  I
>> understand the DNS overhead likely introduces too much delay; just looking
>> for any possibilities.
> We have a setup pretty close to yours - our IDS is downstream of the proxy.
> If/when we get an alert, we inspect the X-Forwarded-For header to determine
> the IP address of the host that originated the request.
> CP
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list