[Snort-users] Alerts with the incorrect Source IP (proxy server)

Heine Lysemose lysemose at ...11827...
Thu Oct 25 06:57:21 EDT 2012


I have had some of the same issues and still have.
Another solution was to use transparent proxy. I'm not able to do this on
out TMG server which in a setup as transparent proxy
also should be the default gateway which is not the case in our network

Could a another solution be, since barnyard is not altering the packets, to
have a options in the GUI (Snorby, Squil, Squert) frontends to select
weather or not to switch the "Orig IP" with the "XFF IP". This will of
course only work if Barnyard2 will start population the XFF/EXTRA DATA into
to the database. Maybe this will be part of the new database schema?


On Thu, Oct 25, 2012 at 2:33 AM, Eric G <eric at ...15503...> wrote:

> On Oct 24, 2012 2:42 PM, "Jeremy Hoel" <jthoel at ...11827...> wrote:
> >
> > Check that out.. learned something new.  I don't have that value in my
> conf either but that's something worth looking at.
> I didn't know about snort's xff option before Joel mentioned it either,
> but if it refers to the "X forwarded for" http header as I suspect it does,
> it might be turned off by default on your proxy appliance... we leave it
> off at work on our proxies because we'd rather not leak out our internal IP
> address scheme, and we have other ways of figuring put "who went where
> when" or "what traffic caused this rule to fire an alert?"
> At the end of the day, nothing beats good centralized logging and a packet
> capture appliance :)
> --
> Eric
> ------------------------------------------------------------------------------
> Everyone hates slow websites. So do we.
> Make your web apps faster with AppDynamics
> Download AppDynamics Lite for free today:
> http://p.sf.net/sfu/appdyn_sfd2d_oct
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121025/0c7493d3/attachment.html>

More information about the Snort-users mailing list