[Snort-users] Alerts with the incorrect Source IP (proxy server)

beenph beenph at ...11827...
Thu Oct 25 07:04:39 EDT 2012


On Thu, Oct 25, 2012 at 6:57 AM, Heine Lysemose <lysemose at ...11827...> wrote:
> Hi
>
> I have had some of the same issues and still have.
> Another solution was to use transparent proxy. I'm not able to do this on
> out TMG server which in a setup as transparent proxy also should be the
> default gateway which is not the case in our network setup.
>
> Could a another solution be, since barnyard is not altering the packets, to
> have a options in the GUI (Snorby, Squil, Squert) frontends to select
> weather or not to switch the "Orig IP" with the "XFF IP". This will of
> course only work if Barnyard2 will start population the XFF/EXTRA DATA into
> to the database. Maybe this will be part of the new database schema?
>

Yeppers, the new schema will natively support IPV6,EXTRA_DATA thus
will correctly log them without an issue.

-elz




More information about the Snort-users mailing list