snort-users May 2008 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] Snort on web servers behind rever

Re: [Snort-users] Snort on web servers behind reverse proxies

From: Jason <security_at_nospam>
Date: Thu May 01 2008 - 16:10:57 GMT
To: Tudor Panaitescu <TPanaitescu@colorcon.com>


you will have to post process it. check out snortunified.pm for a framework tat makes it easy.

Tudor Panaitescu wrote:
>
> Hi
>
> First of all I did some research and couldn't find anything about this, so
> no flames please :-)
>
> Here is the story. We have some reverse proxies/application
> accelerators/etc. (let's call them reverse proxies for now) in front of our
> web site. We don't control these reverse proxies and I am not sure if the
> provider has any IDS capabilities on those. I have snort (2.8.0.2)
> installed on the actual web servers but the only thing that I see in the
> alerts is the IP addresses of the reverse proxies, which is normal. Now,
> the reverse proxies, in their http requests to the web servers, they add 2
> entries in the headers: X-Forwarded-For: <origin's IP address> and
> True-Client-IP: <origin's IP address>. Is it a way to modify the rules to
> alert using any of these IP addresses instead of the IP address(es) of the
> reverse proxies ?
>
> Any help/idea would be appreciated.
>
> Thanks and all the best,
> Tudor
>
>
> Visit us at http://www.colorcon.com
>
> NOTICE: This e-mail contains confidential and/or proprietary information, some or all of which may be legally privileged. It is intended only for the named recipient. If an addressing or transmission error has misdirected the e-mail,
> please notify the author by replying to this message. If you are not the named recipient you must not use, disclose, distribute, copy, print, or rely on this e-mail, and should immediately delete it from your computer system.
>
> Thank you. *
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save $100.
> Use priority code J8TL2D2.
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users