[Snort-users] Question: Snort-Alerts do not fire when traffic goes thru proxy

Claus Regelmann rgc at ...17118...
Wed Mar 18 21:31:26 EDT 2015


Hello,

my Snort (2.9.7.2) runs on a small linux firewall and listens on the interface
connected to the internet (not in-line). On the same machine, a Squid-Proxy is running.

I wrote a small local rule:
>''alert tcp $HOME_NET any -> any [8080,7779] (msg:"RgC: HIGH RISK possible outbound GEODO URI pattern found";
pcre:"/[^\/]*\/[0-9a-f]{5,8}\//U"; classtype:trojan-activity; sid:1000004; rev:1;)''

HOME_NET is set in snort.conf:
# Setup the network addresses you are protecting
ipvar HOME_NET [10.1.0.0/16,192.168.0.0/16]

The above rule alerts where I run a test without proxying (src 10.1.2.20):
(Event)
         sensor id: 0    event id: 11    event second: 1426699327        event microsecond: 60572
         sig id: 1000004 gen id: 1       revision: 1      classification: 21
         priority: 1     ip source: 10.1.2.20    ip destination: 202.44.54.3
         src port: 49170 dest port: 8080 protocol: 6     impact_flag: 0  blocked: 0

Packet
         sensor id: 0    event id: 11    event second: 1426699327
         packet second: 1426699327       packet microsecond: 60572
         linktype: 1     packet_length: 473
[    0] 9C C7 A6 2F 8C 14 00 22 19 6E 94 17 08 00 45 00  .../...".n....E.
[   16] 01 CB 01 60 40 00 7F 06 EC 88 0A 01 02 14 CA 2C  ...`@..........,
[   32] 36 03 C0 12 1F 90 64 F3 DA F8 0A 7B D4 EB 50 18  6.....d....{..P.
[   48] 3E 64 74 38 00 00 50 4F 53 54 20 2F 63 61 61 31  >dt8..POST /caa1
[   64] 31 62 31 39 2F 32 30 34 32 39 35 31 32 33 34 2F  1b19/2042951234/
[   80] 20 48 54 54 50 2F 31 2E 31 0D 0A 41 63 63 65 70   HTTP/1.1..Accep
[   96] 74 3A 20 2A 2F 2A 0D 0A 55 73 65 72 2D 41 67 65  t: */*..User-Age
[  112] 6E 74 3A 20 4D 6F 7A 69 6C 6C 61 2F 35 2E 30 20  nt: Mozilla/5.0
[  128] 28 63 6F 6D 70 61 74 69 62 6C 65 3B 20 4D 53 49  (compatible; MSI
[  144] 45 20 39 2E 30 3B 20 57 69 6E 64 6F 77 73 20 4E  E 9.0; Windows N
[  160] 54 20 37 2E 31 3B 20 54 72 69 64 65 6E 74 2F 35  T 7.1; Trident/5
[  176] 2E 30 29 0D 0A 48 6F 73 74 3A 20 32 30 32 2E 34  .0)..Host: 202.4
[  192] 34 2E 35 34 2E 33 3A 38 30 38 30 0D 0A 43 6F 6E  4.54.3:8080..Con
[  208] 74 65 6E 74 2D 4C 65 6E 67 74 68 3A 20 31 39 36  tent-Length: 196
[  224] 0D 0A 43 6F 6E 6E 65 63 74 69 6F 6E 3A 20 4B 65  ..Connection: Ke
[  240] 65 70 2D 41 6C 69 76 65 0D 0A 43 61 63 68 65 2D  ep-Alive..Cache-
[  256] 43 6F 6E 74 72 6F 6C 3A 20 6E 6F 2D 63 61 63 68  Control: no-cach
[  272] 65 0D 0A 0D 0A 87 DD 5F 07 05 0D 18 94 46 50 8C  e......_.....FP.
[  288] 55 2E BF 45 6B C5 F8 2B AB DB 07 3C 20 5D B0 EF  U..Ek..+...< ]..
[  304] C5 D6 ED A9 81 71 54 5F 78 27 28 61 BD AF E9 57  .....qT_x'(a...W
[  320] 60 FA 27 D6 C0 E9 3C 04 7C 5C 81 44 A0 DA 9B E6  `.'...<.|\.D....
[  336] C2 7F 86 8F C6 00 CB DB 87 54 F0 9D CC D3 69 88  .........T....i.
[  352] 2D 01 C7 8A EB C8 9D 99 1D 36 FB 09 53 DC 7F 5B  -........6..S..[
[  368] AC 0F 94 25 32 97 12 7F D0 DE 75 B1 22 8B FD 5D  ...%2.....u."..]
[  384] 69 BE 53 E1 E7 89 62 45 02 48 86 AE 36 40 F0 DF  i.S...bE.H..6 at ...846...
[  400] DC 30 A7 65 B5 20 C0 5D 2C 86 15 53 8B 25 29 25  .0.e. .],..S.%)%
[  416] 0E DF FD C0 A0 05 B4 39 57 D5 D9 4E 26 01 71 8F  .......9W..N&.q.
[  432] FA 9F 2C 31 8F D3 C7 3D 55 0A 7D B5 F5 5E FB E0  ..,1...=U.}..^..
[  448] EC 74 E9 31 24 B3 A9 97 08 06 F1 85 E0 C4 CF B6  .t.1$...........
[  464] F6 46 DD F7 66 93 F7 58 7D                       .F..f..X}

When I redirect the traffic through the proxy, the above rule does not fire,
although I see the malware traffic in a tcpdump-capture.
0000  9c c7 a6 2f 8c 14 00 22  19 6e 94 17 08 00 45 00   .../..." .n....E.
0010  01 16 55 b2 40 00 40 06  70 67 c0 a8 b2 f0 ca 2c   ..U. at ...843...@. pg.....,
0020  36 03 94 34 1f 90 ba e0  cd 53 82 72 a1 68 80 18   6..4.... .S.r.h..
0030  00 5c 74 d1 00 00 01 01  08 0a 0e 95 98 ff 31 92   .\t..... ......1.
0040  76 d9 50 4f 53 54 20 2f  63 61 61 31 31 62 31 39   v.POST / caa11b19
0050  2f 32 30 34 32 39 35 31  32 33 34 2e 70 68 70 20   /2042951 234.php
0060  48 54 54 50 2f 31 2e 31  0d 0a 41 63 63 65 70 74   HTTP/1.1 ..Accept
0070  3a 20 2a 2f 2a 0d 0a 55  73 65 72 2d 41 67 65 6e   : */*..U ser-Agen
0080  74 3a 20 4d 6f 7a 69 6c  6c 61 2f 35 2e 30 20 28   t: Mozil la/5.0 (
0090  63 6f 6d 70 61 74 69 62  6c 65 3b 20 4d 53 49 45   compatib le; MSIE
00a0  20 39 2e 30 3b 20 57 69  6e 64 6f 77 73 20 4e 54    9.0; Wi ndows NT
00b0  20 37 2e 31 3b 20 54 72  69 64 65 6e 74 2f 35 2e    7.1; Tr ident/5.
00c0  30 29 0d 0a 48 6f 73 74  3a 20 32 30 32 2e 34 34   0)..Host : 202.44
00d0  2e 35 34 2e 33 3a 38 30  38 30 0d 0a 43 6f 6e 74   .54.3:80 80..Cont
00e0  65 6e 74 2d 4c 65 6e 67  74 68 3a 20 31 39 36 0d   ent-Leng th: 196.
00f0  0a 43 61 63 68 65 2d 43  6f 6e 74 72 6f 6c 3a 20   .Cache-C ontrol:
0100  6e 6f 2d 63 61 63 68 65  0d 0a 43 6f 6e 6e 65 63   no-cache ..Connec
0110  74 69 6f 6e 3a 20 6b 65  65 70 2d 61 6c 69 76 65   tion: ke ep-alive
0120  0d 0a 0d 0a                                        ....
The source-ip here is 192.168.178.240, the iface addresse to the internet,
and lies within the HOME_NET-range (2nd part).

There are also VRT- and ET-rules which do not fire when the traffic goes
through the proxy.

Can anybody give me a hint what's wrong here.

Thanks
Claus




More information about the Snort-users mailing list