[Snort-users] Snort on proxy (outbound alerts)

Joel Esler jesler at ...1935...
Fri Jan 18 14:11:33 EST 2013


Snort supports the logging of internal IPs if your proxy supports "X-Forwarded-For" or "True-Client-IP" headers:

http://manual.snort.org/node255.html

(enable_xff)


--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Jan 18, 2013, at 1:58 PM, Jason Wallace <jason.r.wallace at ...11827...> wrote:

> I have a similar situation, a proxy with a single NIC. While my sensor
> is inline with this NIC, I prefer to only inspect the traffic between
> the client and the proxy, and not the proxy to outside. This is the
> BPF I use.
> 
> (src net 10.0.0.0/8 or src net 192.168.0.0/16 or src net
> 172.16.0.0/12) and (dst net <proxy #1 IP>/32 or dst net <proxy #2
> IP>/32) or (src net <proxy #1 IP>/32 or src net <proxy #2 IP>/32) and
> (dst net 10.0.0.0/8 or dst net 192.168.0.0/16 or dst net
> 172.16.0.0/12)
> 
> Thx,
> Wally
> 
> On Fri, Jan 18, 2013 at 12:34 PM, waldo kitty <wkitty42 at ...14940...> wrote:
>> On 1/18/2013 06:50, J. H wrote:
>>> Hi,
>>> 
>>> Thank you for answering.
>>> 
>>> Only one interface on my proxy machine.
>>> 
>>> SQUID/Snort listenin on the same one.
>> 
>> some might consider that to be part of the problem... it sounds like what you
>> want is for snort to be listening only to your internal machines... you might be
>> able to use a bpf to block out alerts concerning your proxy...
>> 
>> 
>> 
>> ------------------------------------------------------------------------------
>> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
>> much more. Get web development skills now with LearnDevNow -
>> 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
>> SALE $99.99 this month only -- learn more at:
>> http://p.sf.net/sfu/learnmore_122812
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>> 
>> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> 
> ------------------------------------------------------------------------------
> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
> much more. Get web development skills now with LearnDevNow -
> 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
> SALE $99.99 this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122812
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130118/4012a1dc/attachment.html>


More information about the Snort-users mailing list