[Snort-users] Snort on proxy (outbound alerts)

Jason Wallace jason.r.wallace at ...11827...
Fri Jan 18 14:12:10 EST 2013


Without using a transparent proxy, your only options are to monitor
"Proxy <-> Client" or "Proxy <-> Outside" or both. You can't merger
the two together because they are different sessions. If you monitor
both and have a SIEM you can sometimes "merge" the SIEM alerts
together if the SIEM is collecting alerts from both sensors and the
proxy.

On Fri, Jan 18, 2013 at 1:51 PM, T. R <joga3.web at ...11827...> wrote:
> I cannot run a transparent proxy.
>
> You got it, I want to be alerted about my LAN.
> Already thought about BPF filters, but what you are forgetting, is that some
> rules are made to match on some DESTINATIONS. In my case, the destination
> for my clients' HTTP traffic will always be my proxy.
> Something interesting, would be if snort could look at the CONNECT method in
> my HTTP requests (for example).
>
> T.
>
>
> 2013/1/18 waldo kitty <wkitty42 at ...14940...>
>>
>> On 1/18/2013 06:50, J. H wrote:
>> > Hi,
>> >
>> > Thank you for answering.
>> >
>> > Only one interface on my proxy machine.
>> >
>> > SQUID/Snort listenin on the same one.
>>
>> some might consider that to be part of the problem... it sounds like what
>> you
>> want is for snort to be listening only to your internal machines... you
>> might be
>> able to use a bpf to block out alerts concerning your proxy...
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
>> much more. Get web development skills now with LearnDevNow -
>> 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
>> SALE $99.99 this month only -- learn more at:
>> http://p.sf.net/sfu/learnmore_122812
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>
>> Please visit http://blog.snort.org to stay current on all the latest Snort
>> news!
>
>
>
> ------------------------------------------------------------------------------
> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
> much more. Get web development skills now with LearnDevNow -
> 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
> SALE $99.99 this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122812
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!




More information about the Snort-users mailing list