[Snort-users] [Emerging-Sigs] Snort Alerts Differences with and without WebProxy

Balasubramaniam Natarajan bala150985 at ...11827...
Mon May 21 03:30:01 EDT 2012


I also tried giving an additional option of "-P 0" while invoking snort
still no result.

On Mon, May 21, 2012 at 3:03 AM, Balasubramaniam Natarajan <
bala150985 at ...11827...> wrote:

> There was an error in my previous link, this is the correct one which
> shows Test2 and Test3 results.
>
> http://img207.imageshack.us/img207/4480/snortproxy.jpg
>
>
> On Mon, May 21, 2012 at 12:58 AM, Balasubramaniam Natarajan <
> bala150985 at ...11827...> wrote:
>
>> Hi
>>
>> I made some more test and I confirm that something is going wrong if I
>> have proxy on, on my clients snort is missing some alerts.
>>
>> *BaseLine without Proxy
>> *When I did not use a webproxy for the client and when I accessed a page
>> where in username and password would be submitted over clear text snort
>> would throw up this alert
>> "ET POLICY Http Client Body contains pass= in cleartext".
>>
>> *Test1: (Running Wireshark On client)
>> *I ran wireshark locally on the client and tried to access the same page
>> where in username and password would be submitted over clear text snort did
>> not throw the alert like previously though I am able to see my username and
>> password on the pcap
>>
>> *Test2: (Running tcpdump On snort #tcpdump -vv -i eth0 -w eth0.pcap **-s
>> 0**)
>> *I ran tcpdump on the eth0 interface of snort and tried to access the
>> same page where in username and password would be submitted over clear text
>> snort did not throw the alert though I am able to see my username and
>> password on the pcap
>>
>> *Test3: (Running tcpdump On snort #tcpdump -vv -i eth1 -w eth1.pcap** -s
>> 0**)
>> *I ran tcpdump on the eth1 interface of snort and tried to access the
>> same page where in username and password would be submitted over clear text
>> snort did not throw the alert though I am able to see my username and
>> password on the pcap
>>
>> Attaching screen shot of Test2 and Test3.
>>
>> http://img207.imageshack.us/img207/4480/snortproxy.jpg
>>
>> *Note:  *I had to add the additional switch of "-s 0" to tcpdump as I
>> was getting this error "[Packet size limited during capture: HTTP
>> truncated]".  I am not sure if snort is sharing the same fate of tcpdump
>> and I am not sure how to add the additional switch of "-s 0" to the running
>> instance of snort.
>>
>> @Joel, thanks for showing the right group to address this question to and
>> I did not see any incorrect appearing on the pcap.
>>
>>
>> On Sun, May 20, 2012 at 8:56 PM, Joel Esler <jesler at ...1935...>wrote:
>>
>>> Probably a better question for the Snort-users mailing list. But yes,
>>> the ips may show up differently (for instance the source ip may be that of
>>> the proxy).
>>>
>>> Maybe some checksum errors in there?
>>>
>>> Do a tcpdump on the interface with the -vv options and see if
>>> "incorrect" shows up in the dump.
>>>
>>> --
>>> Joel Esler
>>>
>>> On May 20, 2012, at 4:31 AM, Balasubramaniam Natarajan <
>>> bala150985 at ...11827...> wrote:
>>>
>>> Hi
>>>
>>> Should there be any difference with Snort alerts if the internal client
>>> are using a webproxy as oppose to those which are not ?   I am asking this
>>> because I see remarkable difference between the two.
>>>
>>>
>>> *Initial Configuration without Squid WebProxy
>>> *
>>> Internal Clients (Default Gateway eth1 on snort) ---> (eth1) Snort
>>> (eth0) ----> Internet
>>>
>>> Snort was running on eth1 and it logged lots of alerts
>>>
>>>
>>> *Present Configuration with Squid WebProxy*
>>>
>>> Internal Client (webproxy to snort:3128 on eth1)   ------> (eth1) Snort
>>> (eth0) ------> Internet
>>>
>>> Now Snort is running on eth0 interface and the number of alerts which
>>> are logged are way too less.  I guess some alerts are somehow missed.
>>>
>>> --
>>> Regards,
>>> Balasubramaniam Natarajan
>>> www.etutorshop.com/moodle/
>>>
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at ...15591...
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>> http://www.emergingthreatspro.com
>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
>>> Current!
>>>
>>>
>>
>>
>> --
>> Regards,
>> Balasubramaniam Natarajan
>> www.etutorshop.com/moodle/
>>
>>
>
>
> --
> Regards,
> Balasubramaniam Natarajan
> www.etutorshop.com/moodle/
>
>


-- 
Regards,
Balasubramaniam Natarajan
www.etutorshop.com/moodle/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120521/0450bf7e/attachment.html>


More information about the Snort-users mailing list