[Snort-users] IDS behind a web gateway

Joel Esler joel.esler at ...14399...
Fri Apr 2 16:05:27 EDT 2010


I run into this all the time.  There really is no solution for it.

What I generally do is place the IPS outside the web content filtering system, as you have it, and if needed, correlate the logs with the web gateway's logs.

I'd rather have the external address so I know which one to block.

J

On Apr 2, 2010, at 4:00 PM, Nate Hausrath wrote:

> Hello everyone,
> 
> We've run into an issue with the way our IDS views traffic after we installed a new web gateway.  The old system was essentially transparent, so when a web request was sent from the inside to the outside, it looked like this on the IDS:
> 
> 10.0.0.1 --> 11.22.33.44:80
> 10.0.0.1 <-- 11.22.33.44:80
> 
> Obviously this makes it easy to determine the inside address of any system that may trigger an alert with Snort, but it also allows us to easily research the outside address.  The sensor knows the IP addresses of both.
> 
> However, the new system is not transparent, and there are some issues outside my control about making it transparent.  So in this case, the traffic seen by the IDS looks like this:
> 
> 10.0.254.254 --> 11.22.33.44:80
> 10.0.254.254 <-- 11.22.33.44:80
> 
> 10.0.254.254 is the web gateway.  In this case, we do not see the internal address.  It is certainly possible to go to the web gateway and determine the inside address if any signature fires, but this is an extra step and is undesirable.
> 
> We could also move the sensor behind the web gateway so it looks like this:
> 
> 10.0.0.1 --> 10.0.254.254
> 10.0.0.1 <-- 10.0.254.254
> 
> But we are now missing the external address.
> 
> Has anyone run into this problem before?  If so, what are some options for solving it?  One idea I had was to read traffic from both sides of the gateway and attempt to combine them on the sensor, but I'm not sure how well this would work.  There may be a better solution that I have not thought of!
> 
> Thanks for any help!
> -Nate
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Joel Esler
http://blog.joelesler.net






More information about the Snort-users mailing list