[Snort-users] Proxy woes

Joel Esler jesler at ...1935...
Tue Nov 17 17:41:27 EST 2009


On Tue, Nov 17, 2009 at 4:20 PM, Alan Ptak <alan.ptak at ...11827...> wrote:

> CP,
>
> I find many IDS/IPS deployments configured as you describe.
>
> As I'm sure you know, X- headers can be (and often are) spoofed. Just
> pointing out the bleedin' obvious. Customers occasionally ask for custom
> rules to alert on a specific X-Forwarded-For address, which generally proves
> effective for a day or two.
>
>
I'd rather put the sensor behind the proxy. That way I can see the internal
address.  That's more important to me then where they are going.  Either way
you can look it up, but which one is more important to act on?  The internal
or the external?

Pros and cons.

J



> Alan
>
> On Nov 17, 2009, at 12:52 PM, CunningPike wrote:
>
> On Tue, Nov 17, 2009 at 11:52 AM, inetjunkmail <inetjunkmail at ...11827...>wrote:
>
>> We have an proxy server between our users and the Internet.  The proxy
>> server is explicitly configured in their browsers (not transparent).  We'd
>> like to use Snort with both VRT and Emerging rules to help identify bots.
>> So I see two options:
>>
>> Put Snort outside proxy servers:
>> Pro:  Destination addresses are valid so they can be matched on by
>> Emerging Bot rules
>> Con: Internal user's IP is lost unless correlated against proxy logs since
>> all source addresses are the proxy's external address
>>
>> Put Snort inside proxy servers:
>> Pro: See the Internal client's IP address
>> Con: All destination addresses are the proxy server since the destination
>> web site is in the payload (not to mention the destination in the payload is
>> likely a URL rather than IP)
>>
>> Is there any preprocessor or way to look at the traffic inside the proxy
>> request and have the preprocessor pull the destination out and do a DNS
>> lookup to identify the true destination IP before processing the rules?  I
>> understand the DNS overhead likely introduces too much delay; just looking
>> for any possibilities.
>>
>> We have a setup pretty close to yours - our IDS is downstream of the
> proxy. If/when we get an alert, we inspect the X-Forwarded-For header to
> determine the IP address of the host that originated the request.
>
> CP
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
>
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.
> http://p.sf.net/sfu/bobj-july_______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> --
> Alan Ptak
> E: alan.ptak at ...11827...
>
>
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Joel Esler | 302-223-5974 | gtalk: jesler at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091117/ddfebc46/attachment.html>


More information about the Snort-users mailing list