[Snort-users] Snort on proxy (outbound alerts)

Thibaud Raso joga3.web at ...11827...
Fri Jan 18 04:29:21 EST 2013


Hi everybody,

I'm having a problem with my running instance of Snort which is setup on my
proxy server(squid), and uses the ET ruleset.
I've been looking for a solution for a while, but I still have no answer.
My problem is, that for some rules, it alerts me on outbound traffic
instead of inbound traffic, let me explain:

Here is a rule which only gives me alerts on outgoing traffic:

> alert tcp $HOME_NET any -> [50.31.138.120,50.63.202.69, 60.13.186.5,
> 60.199.114.84
> ,61.244.48.34,62.109.0.5,62.109.23.147,62.109.23.228,62.149.140.16,62.76.177.117,
> 63.143.42.126,64.124.180.220,64.127.71.73,64.29.151.221,64.37.52.22] any
> (msg:"ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server TCP (group
> 15)"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC;
> reference:url,zeustracker.abuse.ch; reference:url,palevotracker.abuse.ch
> ;reference:url,spyeyetracker.abuse.ch; threshold: type limit, track
> by_src, seconds 3600, count 1; classtype:trojan-activity;
> flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2404128; rev:2915;)
>

And here is the type of alerts snort generates with this rule:

> [**] [1:2404128:2915] ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC
> Server TCP (group 15) [**][Classification: A Network Trojan was Detected]
> [Priority: 1] 192.168.0.253:5688 <http://192.168.0.253:56884> ->
> 64.29.151.221:80
>

(192.168.0.253 is my proxy IP and 64.29.151.221 is a 'blacklisted' IP by
the rule.)

The problem of this rule is that it matches traffic destinated to those
blacklisted IPs.
However, it is only interesting to me if I get alerts on my clients'
requests not proxy's. If alerts come from my proxy IP, I can't target which
computer is causing trouble (in my LAN).

By the way, XFF is not enabled on my proxy, so there is no
'X-Forwarded-For' field in the HTTP requests (security policy), and the
snort 'xff_enable' option in the http_inspect preprocessor will not help us
to guess my client's IP.

So my question is: "Is there a way to get this kind of alerts on incoming
traffic(when my clients make these requests to my proxy)?" and if yes, how
do I do that?
If something is not clear or if you need some more clues, you are welcome
to ask.

Snortely yours.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130118/0ab386ad/attachment.html>


More information about the Snort-users mailing list