[Snort-users] Alerts with the incorrect Source IP (proxy server)

Joel Esler jesler at ...1935...
Thu Oct 25 08:39:07 EDT 2012


Bamm,

You're right it all depends upon which side of the proxy you happen to be on when doing the inspection. Thank you for clarifying. 

--
Joel Esler
Sent from my iPad 

On Oct 25, 2012, at 7:56 AM, Bamm Visscher <bamm.visscher at ...11827...> wrote:

> If he's logging the IP of the proxy and not the external website, then
> it sounds like the sensor is between the internal network and the
> proxy. If that is the case, enable_xff won't help since at that
> location the destination IP address hasn't been resolved (the proxy
> will do that).
> 
> Brad - You can move the sensor outside the proxy and then you will get
> the external website IP address, but you may have to re-architect your
> proxy (turn on x-forwarded-for or use a transparent proxy) to be able
> to identify the internal source of the acty. Another option would be
> to add another sensor and sandwich the proxy between the two sensors.
> 
> Bamm
> 
> 
> On Wed, Oct 24, 2012 at 2:10 PM, Joel Esler <jesler at ...1935...> wrote:
>> If you have additional logging turned on, and your proxy supports it, (and
>> you have "enable_xff") turned on in the snort.conf we'll log the actual IP
>> in the additional data in the unified2 file.
>> 
>> --
>> Joel Esler
>> Senior Research Engineer, VRT
>> OpenSource Community Manager
>> Sourcefire
>> 
>> On Oct 24, 2012, at 1:27 PM, Jeremy Hoel <jthoel at ...11827...> wrote:
>> 
>> What snort alerts what the IPs are from inside the packet. If you
>> tcpdump that same connection and you are seeing the proxy talk to the
>> client, and that's the packets that are making the alert then the way
>> to fix that is to move the span port location.  Snort only reports
>> what it sees and it can't 'infer' what the original source of the
>> packets are.
>> 
>> But more examples of your network layout and an example of the alert might
>> help.
>> 
>> On Wed, Oct 24, 2012 at 5:04 PM, Turnbough, Bradley E.
>> <bturnbough at ...15650...> wrote:
>> 
>> Hi Guys,
>> 
>> 
>> 
>> I’m getting alerts generated, but they are coming up as the source IP of my
>> proxy server.  Is there a way to tell Snort / Barnyard2 / Snorby that it
>> should report the IP address of the website instead?
>> 
>> 
>> 
>> Thanks,
>> 
>> Brad
>> 
>> 
>> 
>> This e-mail transmission contains information that is confidential and may
>> be privileged. It is intended only for the addressee(s) named above. If you
>> receive this e-mail in error, please do not read, copy or disseminate it in
>> any manner. If you are not the intended recipient, any disclosure, copying,
>> distribution or use of the contents of this information is prohibited.
>> Please reply to the message immediately by informing the sender that the
>> message was misdirected. After replying, please erase it from your computer
>> system. Your assistance in correcting this error is appreciated.
>> 
>> ------------------------------------------------------------------------------
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>> http://p.sf.net/sfu/appdyn_sfd2d_oct
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>> 
>> 
>> ------------------------------------------------------------------------------
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>> http://p.sf.net/sfu/appdyn_sfd2d_oct
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>> 
>> 
>> 
>> ------------------------------------------------------------------------------
>> Everyone hates slow websites. So do we.
>> Make your web apps faster with AppDynamics
>> Download AppDynamics Lite for free today:
>> http://p.sf.net/sfu/appdyn_sfd2d_oct
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
> 
> 
> 
> -- 
> sguil - The Analyst Console for NSM
> http://sguil.sf.net




More information about the Snort-users mailing list