[Snort-users] IDS behind a web gateway

Nate Hausrath hausrath.mailing.list at ...11827...
Fri Apr 2 16:00:57 EDT 2010


Hello everyone,

We've run into an issue with the way our IDS views traffic after we installed a new web gateway.  The old system was essentially transparent, so when a web request was sent from the inside to the outside, it looked like this on the IDS:

10.0.0.1 --> 11.22.33.44:80
10.0.0.1 <-- 11.22.33.44:80

Obviously this makes it easy to determine the inside address of any system that may trigger an alert with Snort, but it also allows us to easily research the outside address.  The sensor knows the IP addresses of both.

However, the new system is not transparent, and there are some issues outside my control about making it transparent.  So in this case, the traffic seen by the IDS looks like this:

10.0.254.254 --> 11.22.33.44:80
10.0.254.254 <-- 11.22.33.44:80

10.0.254.254 is the web gateway.  In this case, we do not see the internal address.  It is certainly possible to go to the web gateway and determine the inside address if any signature fires, but this is an extra step and is undesirable.

We could also move the sensor behind the web gateway so it looks like this:

10.0.0.1 --> 10.0.254.254
10.0.0.1 <-- 10.0.254.254

But we are now missing the external address.

Has anyone run into this problem before?  If so, what are some options for solving it?  One idea I had was to read traffic from both sides of the gateway and attempt to combine them on the sensor, but I'm not sure how well this would work.  There may be a better solution that I have not thought of!

Thanks for any help!
-Nate



More information about the Snort-users mailing list