[Snort-users] [Emerging-Sigs] Snort Alerts Differences with and without WebProxy

Joel Esler jesler at ...1935...
Sun May 20 11:26:07 EDT 2012

Probably a better question for the Snort-users mailing list. But yes, the ips may show up differently (for instance the source ip may be that of the proxy). 

Maybe some checksum errors in there?

Do a tcpdump on the interface with the -vv options and see if "incorrect" shows up in the dump. 

Joel Esler

On May 20, 2012, at 4:31 AM, Balasubramaniam Natarajan <bala150985 at ...13704......> wrote:

> Hi
> Should there be any difference with Snort alerts if the internal client are using a webproxy as oppose to those which are not ?   I am asking this because I see remarkable difference between the two.
> Initial Configuration without Squid WebProxy
> Internal Clients (Default Gateway eth1 on snort) ---> (eth1) Snort (eth0) ----> Internet
> Snort was running on eth1 and it logged lots of alerts
> Present Configuration with Squid WebProxy
> Internal Client (webproxy to snort:3128 on eth1)   ------> (eth1) Snort (eth0) ------> Internet
> Now Snort is running on eth0 interface and the number of alerts which are logged are way too less.  I guess some alerts are somehow missed.
> -- 
> Regards,
> Balasubramaniam Natarajan
> www.etutorshop.com/moodle/
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...15591...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120520/9c04d0b9/attachment.html>

More information about the Snort-users mailing list