[Snort-users] Alerts with the incorrect Source IP (proxy server)

Eric G eric at ...15503...
Wed Oct 24 20:33:52 EDT 2012


On Oct 24, 2012 2:42 PM, "Jeremy Hoel" <jthoel at ...11827...> wrote:
>
> Check that out.. learned something new.  I don't have that value in my
conf either but that's something worth looking at.

I didn't know about snort's xff option before Joel mentioned it either, but
if it refers to the "X forwarded for" http header as I suspect it does, it
might be turned off by default on your proxy appliance... we leave it off
at work on our proxies because we'd rather not leak out our internal IP
address scheme, and we have other ways of figuring put "who went where
when" or "what traffic caused this rule to fire an alert?"

At the end of the day, nothing beats good centralized logging and a packet
capture appliance :)

--
Eric
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121024/ca7f664f/attachment.html>


More information about the Snort-users mailing list