[Snort-users] Snort on proxy (outbound alerts)
joga3.web at ...11827...
Fri Jan 18 04:29:21 EST 2013
I'm having a problem with my running instance of Snort which is setup on my
proxy server(squid), and uses the ET ruleset.
I've been looking for a solution for a while, but I still have no answer.
My problem is, that for some rules, it alerts me on outbound traffic
instead of inbound traffic, let me explain:
Here is a rule which only gives me alerts on outgoing traffic:
> alert tcp $HOME_NET any -> [22.214.171.124,126.96.36.199, 188.8.131.52,
> 184.108.40.206,220.127.116.11,18.104.22.168,22.214.171.124,126.96.36.199] any
> (msg:"ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server TCP (group
> 15)"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC;
> reference:url,zeustracker.abuse.ch; reference:url,palevotracker.abuse.ch
> ;reference:url,spyeyetracker.abuse.ch; threshold: type limit, track
> by_src, seconds 3600, count 1; classtype:trojan-activity;
> flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2404128; rev:2915;)
And here is the type of alerts snort generates with this rule:
> [**] [1:2404128:2915] ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC
> Server TCP (group 15) [**][Classification: A Network Trojan was Detected]
> [Priority: 1] 192.168.0.253:5688 <http://192.168.0.253:56884> ->
(192.168.0.253 is my proxy IP and 188.8.131.52 is a 'blacklisted' IP by
The problem of this rule is that it matches traffic destinated to those
However, it is only interesting to me if I get alerts on my clients'
requests not proxy's. If alerts come from my proxy IP, I can't target which
computer is causing trouble (in my LAN).
By the way, XFF is not enabled on my proxy, so there is no
'X-Forwarded-For' field in the HTTP requests (security policy), and the
snort 'xff_enable' option in the http_inspect preprocessor will not help us
to guess my client's IP.
So my question is: "Is there a way to get this kind of alerts on incoming
traffic(when my clients make these requests to my proxy)?" and if yes, how
do I do that?
If something is not clear or if you need some more clues, you are welcome
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users