[Snort-users] Alerts with the incorrect Source IP (proxy server)

Jason Haar Jason_Haar at ...15306...
Thu Oct 25 19:16:53 EDT 2012


On 26/10/12 00:56, Bamm Visscher wrote:
> Brad - You can move the sensor outside the proxy and then you will get
> the external website IP address, but you may have to re-architect your
> proxy (turn on x-forwarded-for or use a transparent proxy) to be able
> to identify the internal source of the acty. Another option would be
> to add another sensor and sandwich the proxy between the two sensors.
>
That won't work because even with a transparent proxy, the tcp stream
leading away from the proxy has the *proxy's* IP address - not the client.

What would be needed to make snort correctly make the proxy "disappear"
from data is:

A: NIDS in front of LAN side of transparent proxy

1. snort will see true client address
2. snort will see IP address of end server
3. Profit!

B: NIDS in front of LAN side of traditional, non-transparent proxy

1. snort will see true client address
2. snort will see IP address of proxy. To fix, snort would need to have
new feature whereby it tracks the "Host:" header used by an outbound
proxy request and use that DNS name to resolve to an IP (gah - won't
work with servers with multiple IPs!!!) so that the outbound and return
traffic could be associated with that "forged" server IP instead of the
proxy

C: NIDS in front of WAN/Internet side of transparent OR non-transparent
proxy

1. snort will see IP of proxy, so will need to rely on proxy
administrator slightly lowering their privacy options by enabling
X-Forwarded-For on outbound
2. snort will see the IP address of the end server
3. Profit!


I would recommend doing "A" or "C" - in that order.

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-users mailing list