[Snort-users] tranparent proxy client IP not showing in alert

Trembly.MaryEtta Trembly.MaryEtta at ...15614...
Tue May 1 10:40:09 EDT 2012


We have an issue with configuring snort to alert on the client side of a transparently proxied web connection. We are mirroring the client side of the connection to an interface on our snort sensor.

It seems we should see alerts showing the client IP but the alerts we see are only showing the proxy IP.  If we tell snort to ignore the proxy IP, we do not get any alerts. Using tcpdump we are able to extract packets that show the source IP as the client and dest IP as the external web server...the same way the client sees the traffic. Shouldn't snort be able to alert on these packets while ignoring the web proxy IP?

We are aware of an enable_xff option for snort to extract the X-Forward record; unfortunately barnyard2 is not able to extract the Original Client info to send to the database on any version of snort newer than 9.1.0.5. This version of snort is too old for our use.

I believe snort is actually following the MAC Address and matching it to the web proxy IP, and ignoring the packets because it can match the MAC to the proxy. The captured packets that show the client talking "directly" to the external web server IP have the mac address of the web proxy, that is how the packets get transferred through the web proxy.

Is there a way to tell snort not to try to match the MAC to IP?

M.E.T.


________________________________
The information contained in this email message is intended only for the use of the individual(s) to whom it is addressed and may contain information that is privileged and sensitive. If you are not the intended recipient, or otherwise have received this communication in error, please notify the sender immediately by email at the above referenced address and note that any further dissemination, distribution or copying of this communication is strictly prohibited.

The U.S. Export Control Laws regulate the export and re-export of technology originating in the United States. This includes the electronic transmission of information and software to foreign countries and to certain foreign nationals. Recipient agrees to abide by these laws and their regulations -- including the U.S. Department of Commerce Export Administration Regulations and the U.S. Department of State International Traffic in Arms Regulations -- and not to transfer, by electronic transmission or otherwise, any content derived from this email to either a foreign national or a foreign destination in violation of such laws.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120501/9de47d46/attachment.html>


More information about the Snort-users mailing list