[Snort-users] [Emerging-Sigs] Snort Alerts Differences with and without WebProxy

Balasubramaniam Natarajan bala150985 at ...11827...
Sun May 20 15:28:23 EDT 2012


Hi

I made some more test and I confirm that something is going wrong if I have
proxy on, on my clients snort is missing some alerts.

*BaseLine without Proxy
*When I did not use a webproxy for the client and when I accessed a page
where in username and password would be submitted over clear text snort
would throw up this alert
"ET POLICY Http Client Body contains pass= in cleartext".

*Test1: (Running Wireshark On client)
*I ran wireshark locally on the client and tried to access the same page
where in username and password would be submitted over clear text snort did
not throw the alert like previously though I am able to see my username and
password on the pcap

*Test2: (Running tcpdump On snort #tcpdump -vv -i eth0 -w eth0.pcap **-s 0**
)
*I ran tcpdump on the eth0 interface of snort and tried to access the same
page where in username and password would be submitted over clear text
snort did not throw the alert though I am able to see my username and
password on the pcap

*Test3: (Running tcpdump On snort #tcpdump -vv -i eth1 -w eth1.pcap** -s 0**
)
*I ran tcpdump on the eth1 interface of snort and tried to access the same
page where in username and password would be submitted over clear text
snort did not throw the alert though I am able to see my username and
password on the pcap

Attaching screen shot of Test2 and Test3.

http://img207.imageshack.us/img207/4480/snortproxy.jpg<http://img440.imageshack.us/img440/4480/snortproxy.jpg>

*Note:  *I had to add the additional switch of "-s 0" to tcpdump as I was
getting this error "[Packet size limited during capture: HTTP truncated]".
I am not sure if snort is sharing the same fate of tcpdump and I am not
sure how to add the additional switch of "-s 0" to the running instance of
snort.

@Joel, thanks for showing the right group to address this question to and I
did not see any incorrect appearing on the pcap.

On Sun, May 20, 2012 at 8:56 PM, Joel Esler <jesler at ...1935...> wrote:

> Probably a better question for the Snort-users mailing list. But yes, the
> ips may show up differently (for instance the source ip may be that of the
> proxy).
>
> Maybe some checksum errors in there?
>
> Do a tcpdump on the interface with the -vv options and see if "incorrect"
> shows up in the dump.
>
> --
> Joel Esler
>
> On May 20, 2012, at 4:31 AM, Balasubramaniam Natarajan <
> bala150985 at ...11827...> wrote:
>
> Hi
>
> Should there be any difference with Snort alerts if the internal client
> are using a webproxy as oppose to those which are not ?   I am asking this
> because I see remarkable difference between the two.
>
>
> *Initial Configuration without Squid WebProxy
> *
> Internal Clients (Default Gateway eth1 on snort) ---> (eth1) Snort (eth0)
> ----> Internet
>
> Snort was running on eth1 and it logged lots of alerts
>
>
> *Present Configuration with Squid WebProxy*
>
> Internal Client (webproxy to snort:3128 on eth1)   ------> (eth1) Snort
> (eth0) ------> Internet
>
> Now Snort is running on eth0 interface and the number of alerts which are
> logged are way too less.  I guess some alerts are somehow missed.
>
> --
> Regards,
> Balasubramaniam Natarajan
> www.etutorshop.com/moodle/
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at ...15591...
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
>


-- 
Regards,
Balasubramaniam Natarajan
www.etutorshop.com/moodle/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120521/bbe3c71a/attachment.html>


More information about the Snort-users mailing list