[Snort-users] [Emerging-Sigs] Snort Alerts Differences with and without WebProxy

Balasubramaniam Natarajan bala150985 at ...11827...
Sun May 20 17:33:35 EDT 2012


There was an error in my previous link, this is the correct one which shows
Test2 and Test3 results.

http://img207.imageshack.us/img207/4480/snortproxy.jpg

On Mon, May 21, 2012 at 12:58 AM, Balasubramaniam Natarajan <
bala150985 at ...11827...> wrote:

> Hi
>
> I made some more test and I confirm that something is going wrong if I
> have proxy on, on my clients snort is missing some alerts.
>
> *BaseLine without Proxy
> *When I did not use a webproxy for the client and when I accessed a page
> where in username and password would be submitted over clear text snort
> would throw up this alert
> "ET POLICY Http Client Body contains pass= in cleartext".
>
> *Test1: (Running Wireshark On client)
> *I ran wireshark locally on the client and tried to access the same page
> where in username and password would be submitted over clear text snort did
> not throw the alert like previously though I am able to see my username and
> password on the pcap
>
> *Test2: (Running tcpdump On snort #tcpdump -vv -i eth0 -w eth0.pcap **-s 0
> **)
> *I ran tcpdump on the eth0 interface of snort and tried to access the
> same page where in username and password would be submitted over clear text
> snort did not throw the alert though I am able to see my username and
> password on the pcap
>
> *Test3: (Running tcpdump On snort #tcpdump -vv -i eth1 -w eth1.pcap** -s 0
> **)
> *I ran tcpdump on the eth1 interface of snort and tried to access the
> same page where in username and password would be submitted over clear text
> snort did not throw the alert though I am able to see my username and
> password on the pcap
>
> Attaching screen shot of Test2 and Test3.
>
> http://img207.imageshack.us/img207/4480/snortproxy.jpg
>
> *Note:  *I had to add the additional switch of "-s 0" to tcpdump as I was
> getting this error "[Packet size limited during capture: HTTP truncated]".
> I am not sure if snort is sharing the same fate of tcpdump and I am not
> sure how to add the additional switch of "-s 0" to the running instance of
> snort.
>
> @Joel, thanks for showing the right group to address this question to and
> I did not see any incorrect appearing on the pcap.
>
>
> On Sun, May 20, 2012 at 8:56 PM, Joel Esler <jesler at ...1935...> wrote:
>
>> Probably a better question for the Snort-users mailing list. But yes, the
>> ips may show up differently (for instance the source ip may be that of the
>> proxy).
>>
>> Maybe some checksum errors in there?
>>
>> Do a tcpdump on the interface with the -vv options and see if "incorrect"
>> shows up in the dump.
>>
>> --
>> Joel Esler
>>
>> On May 20, 2012, at 4:31 AM, Balasubramaniam Natarajan <
>> bala150985 at ...11827...> wrote:
>>
>> Hi
>>
>> Should there be any difference with Snort alerts if the internal client
>> are using a webproxy as oppose to those which are not ?   I am asking this
>> because I see remarkable difference between the two.
>>
>>
>> *Initial Configuration without Squid WebProxy
>> *
>> Internal Clients (Default Gateway eth1 on snort) ---> (eth1) Snort (eth0)
>> ----> Internet
>>
>> Snort was running on eth1 and it logged lots of alerts
>>
>>
>> *Present Configuration with Squid WebProxy*
>>
>> Internal Client (webproxy to snort:3128 on eth1)   ------> (eth1) Snort
>> (eth0) ------> Internet
>>
>> Now Snort is running on eth0 interface and the number of alerts which are
>> logged are way too less.  I guess some alerts are somehow missed.
>>
>> --
>> Regards,
>> Balasubramaniam Natarajan
>> www.etutorshop.com/moodle/
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at ...15591...
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
>> Current!
>>
>>
>
>
> --
> Regards,
> Balasubramaniam Natarajan
> www.etutorshop.com/moodle/
>
>


-- 
Regards,
Balasubramaniam Natarajan
www.etutorshop.com/moodle/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120521/fd07340b/attachment.html>


More information about the Snort-users mailing list