[Snort-users] Snort on proxy (outbound alerts)

Jason Wallace jason.r.wallace at ...11827...
Fri Jan 18 13:58:17 EST 2013


I have a similar situation, a proxy with a single NIC. While my sensor
is inline with this NIC, I prefer to only inspect the traffic between
the client and the proxy, and not the proxy to outside. This is the
BPF I use.

(src net 10.0.0.0/8 or src net 192.168.0.0/16 or src net
172.16.0.0/12) and (dst net <proxy #1 IP>/32 or dst net <proxy #2
IP>/32) or (src net <proxy #1 IP>/32 or src net <proxy #2 IP>/32) and
(dst net 10.0.0.0/8 or dst net 192.168.0.0/16 or dst net
172.16.0.0/12)

Thx,
Wally

On Fri, Jan 18, 2013 at 12:34 PM, waldo kitty <wkitty42 at ...14940...> wrote:
> On 1/18/2013 06:50, J. H wrote:
>> Hi,
>>
>> Thank you for answering.
>>
>> Only one interface on my proxy machine.
>>
>> SQUID/Snort listenin on the same one.
>
> some might consider that to be part of the problem... it sounds like what you
> want is for snort to be listening only to your internal machines... you might be
> able to use a bpf to block out alerts concerning your proxy...
>
>
>
> ------------------------------------------------------------------------------
> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
> much more. Get web development skills now with LearnDevNow -
> 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
> SALE $99.99 this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122812
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!




More information about the Snort-users mailing list