snort-users November 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] Proxy woes

Re: [Snort-users] Proxy woes

From: Jason Wallace <jason.r.wallace_at_nospam>
Date: Tue Nov 17 2009 - 21:46:18 GMT
To: Snort <snort-users@lists.sourceforge.net>


I'm getting ready to deploy in the same fashion. The X-Forwarded-For header will work but it will be a PIA digging into every alert to find it and will make reporting on the number of hosts affected with a particular bot (or whatever else) pretty difficult. There might be a good idea for a proxy preprocessor in here somewhere to make tracking this easier.

on that note...

We currently do not have X-Forwarded-For turned on on our proxy. Is any one else concerned that it provide internal IP information to whatever the proxy is forwarding the request to? I guess if the client has something malicious on it whatever it is will already know what the internal IP is and could pass that on if it could make use of it... moot point?

On Tue, Nov 17, 2009 at 3:52 PM, CunningPike <cunningpike@gmail.com> wrote:
> On Tue, Nov 17, 2009 at 11:52 AM, inetjunkmail <inetjunkmail@gmail.com>
> wrote:
>>
>> We have an proxy server between our users and the Internet. The proxy
>> server is explicitly configured in their browsers (not transparent). We'd
>> like to use Snort with both VRT and Emerging rules to help identify bots.
>> So I see two options:
>>
>> Put Snort outside proxy servers:
>> Pro: Destination addresses are valid so they can be matched on by
>> Emerging Bot rules
>> Con: Internal user's IP is lost unless correlated against proxy logs since
>> all source addresses are the proxy's external address
>>
>> Put Snort inside proxy servers:
>> Pro: See the Internal client's IP address
>> Con: All destination addresses are the proxy server since the destination
>> web site is in the payload (not to mention the destination in the payload is
>> likely a URL rather than IP)
>>
>> Is there any preprocessor or way to look at the traffic inside the proxy
>> request and have the preprocessor pull the destination out and do a DNS
>> lookup to identify the true destination IP before processing the rules? I
>> understand the DNS overhead likely introduces too much delay; just looking
>> for any possibilities.
>>
> We have a setup pretty close to yours - our IDS is downstream of the proxy.
> If/when we get an alert, we inspect the X-Forwarded-For header to determine
> the IP address of the host that originated the request.
>
> CP
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users