[Snort-users] Alerts with the incorrect Source IP (proxy server)

Heine Lysemose lysemose at ...11827...
Thu Oct 25 07:43:55 EDT 2012


Thanks for the confirmation.

/Lysemose

On Thu, Oct 25, 2012 at 11:04 AM, beenph <beenph at ...11827...> wrote:

> On Thu, Oct 25, 2012 at 6:57 AM, Heine Lysemose <lysemose at ...11827...>
> wrote:
> > Hi
> >
> > I have had some of the same issues and still have.
> > Another solution was to use transparent proxy. I'm not able to do this on
> > out TMG server which in a setup as transparent proxy also should be the
> > default gateway which is not the case in our network setup.
> >
> > Could a another solution be, since barnyard is not altering the packets,
> to
> > have a options in the GUI (Snorby, Squil, Squert) frontends to select
> > weather or not to switch the "Orig IP" with the "XFF IP". This will of
> > course only work if Barnyard2 will start population the XFF/EXTRA DATA
> into
> > to the database. Maybe this will be part of the new database schema?
> >
>
> Yeppers, the new schema will natively support IPV6,EXTRA_DATA thus
> will correctly log them without an issue.
>
> -elz
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20121025/43a4d62d/attachment.html>


More information about the Snort-users mailing list