snort-users May 2008 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] Snort on web servers behind rever

Re: [Snort-users] Snort on web servers behind reverse proxies

From: Jack Pepper <pepperjack_at_nospam>
Date: Thu May 01 2008 - 15:46:06 GMT
To: snort-users@lists.sourceforge.net


Or, are you wanting the alert actions inside of snort to replace the proxy addr with the addr in the True-Client-IP field?

that's doable with a custom output method, but nothing built-in.

jp

Quoting Joel Esler <joel.esler@sourcefire.com>:

> Okay, Let me clarify and you tell me if I am wrong or right. You want
> to write a Snort rule to detect if your proxies are sending your
> inside ip's out to the internet? Or are you asking how to modify your
> proxies so that they don't send the IP's at all?
>
> joel
>
> On May 1, 2008, at 10:29 AM, Tudor Panaitescu wrote:
>
>>
>>
>> Hi
>>
>> First of all I did some research and couldn't find anything about
>> this, so
>> no flames please :-)
>>
>> Here is the story. We have some reverse proxies/application
>> accelerators/etc. (let's call them reverse proxies for now) in front
>> of our
>> web site. We don't control these reverse proxies and I am not sure
>> if the
>> provider has any IDS capabilities on those. I have snort (2.8.0.2)
>> installed on the actual web servers but the only thing that I see in
>> the
>> alerts is the IP addresses of the reverse proxies, which is normal.
>> Now,
>> the reverse proxies, in their http requests to the web servers, they
>> add 2
>> entries in the headers: X-Forwarded-For: <origin's IP address> and
>> True-Client-IP: <origin's IP address>. Is it a way to modify the
>> rules to
>> alert using any of these IP addresses instead of the IP address(es)
>> of the
>> reverse proxies ?
>>
>> Any help/idea would be appreciated.
>>
>> Thanks and all the best,
>> Tudor
>>
>>
>> Visit us at http://www.colorcon.com
>>
>> NOTICE: This e-mail contains confidential and/or proprietary
>> information, some or all of which may be legally privileged. It is
>> intended only for the named recipient. If an addressing or
>> transmission error has misdirected the e-mail,
>> please notify the author by replying to this message. If you are not
>> the named recipient you must not use, disclose, distribute, copy,
>> print, or rely on this e-mail, and should immediately delete it from
>> your computer system.
>>
>> Thank you. *
>>
>> -------------------------------------------------------------------------
>> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
>> Don't miss this year's exciting event. There's still time to save
>> $100.
>> Use priority code J8TL2D2.
>> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users@lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>
>
>
> --
> Joel Esler  joel.esler@sourcefire.com
>
>
>
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save $100.
> Use priority code J8TL2D2.
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-- Framework? I don't need no stinking framework! ---------------------------------------------------------------- @fferent Security Labs: Isolate/Insulate/Innovate http://www.afferentsecurity.com ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users