[Snort-users] [Emerging-Sigs] Snort Alerts Differences with and without WebProxy
jesler at ...1935...
Sun May 20 11:26:07 EDT 2012
Probably a better question for the Snort-users mailing list. But yes, the ips may show up differently (for instance the source ip may be that of the proxy).
Maybe some checksum errors in there?
Do a tcpdump on the interface with the -vv options and see if "incorrect" shows up in the dump.
On May 20, 2012, at 4:31 AM, Balasubramaniam Natarajan <bala150985 at ...13704......> wrote:
> Should there be any difference with Snort alerts if the internal client are using a webproxy as oppose to those which are not ? I am asking this because I see remarkable difference between the two.
> Initial Configuration without Squid WebProxy
> Internal Clients (Default Gateway eth1 on snort) ---> (eth1) Snort (eth0) ----> Internet
> Snort was running on eth1 and it logged lots of alerts
> Present Configuration with Squid WebProxy
> Internal Client (webproxy to snort:3128 on eth1) ------> (eth1) Snort (eth0) ------> Internet
> Now Snort is running on eth0 interface and the number of alerts which are logged are way too less. I guess some alerts are somehow missed.
> Balasubramaniam Natarajan
> Emerging-sigs mailing list
> Emerging-sigs at ...15591...
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users