[Snort-users] Proxy woes

Joel Esler jesler at ...1935...
Tue Nov 17 17:42:24 EST 2009


The Government may have a problem with revealing their super secret 10.1.1.1
addresses, but I guess, from the grand scope of things, who really cares?
 So?  You are using private address space.  So is everyone else.

J

On Tue, Nov 17, 2009 at 4:46 PM, Jason Wallace <jason.r.wallace at ...11827...>wrote:

> I'm getting ready to deploy in the same fashion. The X-Forwarded-For
> header will work but it will be a PIA digging into every alert to find
> it and will make reporting on the number of hosts affected with a
> particular bot (or whatever else) pretty difficult. There might be a
> good idea for a proxy preprocessor in here somewhere to make tracking
> this easier.
>
> on that note...
>
> We currently do not have X-Forwarded-For turned on on our proxy. Is
> any one else concerned that it provide internal IP information to
> whatever the proxy is forwarding the request to? I guess if the client
> has something malicious on it whatever it is will already know what
> the internal IP is and could pass that on if it could make use of
> it... moot point?
>
> On Tue, Nov 17, 2009 at 3:52 PM, CunningPike <cunningpike at ...11827...>
> wrote:
> > On Tue, Nov 17, 2009 at 11:52 AM, inetjunkmail <inetjunkmail at ...11827...>
> > wrote:
> >>
> >> We have an proxy server between our users and the Internet.  The proxy
> >> server is explicitly configured in their browsers (not transparent).
> We'd
> >> like to use Snort with both VRT and Emerging rules to help identify
> bots.
> >> So I see two options:
> >>
> >> Put Snort outside proxy servers:
> >> Pro:  Destination addresses are valid so they can be matched on by
> >> Emerging Bot rules
> >> Con: Internal user's IP is lost unless correlated against proxy logs
> since
> >> all source addresses are the proxy's external address
> >>
> >> Put Snort inside proxy servers:
> >> Pro: See the Internal client's IP address
> >> Con: All destination addresses are the proxy server since the
> destination
> >> web site is in the payload (not to mention the destination in the
> payload is
> >> likely a URL rather than IP)
> >>
> >> Is there any preprocessor or way to look at the traffic inside the proxy
> >> request and have the preprocessor pull the destination out and do a DNS
> >> lookup to identify the true destination IP before processing the rules?
> I
> >> understand the DNS overhead likely introduces too much delay; just
> looking
> >> for any possibilities.
> >>
> > We have a setup pretty close to yours - our IDS is downstream of the
> proxy.
> > If/when we get an alert, we inspect the X-Forwarded-For header to
> determine
> > the IP address of the host that originated the request.
> >
> > CP
> >
> >
> ------------------------------------------------------------------------------
> > Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> > trial. Simplify your report design, integration and deployment - and
> focus
> > on
> > what you do best, core application coding. Discover what's new with
> > Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Joel Esler | 302-223-5974 | gtalk: jesler at ...1935...
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091117/f89814cd/attachment.html>


More information about the Snort-users mailing list