snort-users November 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] Proxy woes

Re: [Snort-users] Proxy woes

From: Joel Esler <jesler_at_nospam>
Date: Tue Nov 17 2009 - 22:42:24 GMT
To: Jason Wallace <jason.r.wallace@gmail.com>


The Government may have a problem with revealing their super secret 10.1.1.1 addresses, but I guess, from the grand scope of things, who really cares?  So? You are using private address space. So is everyone else.

J

On Tue, Nov 17, 2009 at 4:46 PM, Jason Wallace <jason.r.wallace@gmail.com>wrote:

> I'm getting ready to deploy in the same fashion. The X-Forwarded-For
> header will work but it will be a PIA digging into every alert to find
> it and will make reporting on the number of hosts affected with a
> particular bot (or whatever else) pretty difficult. There might be a
> good idea for a proxy preprocessor in here somewhere to make tracking
> this easier.
>
> on that note...
>
> We currently do not have X-Forwarded-For turned on on our proxy. Is
> any one else concerned that it provide internal IP information to
> whatever the proxy is forwarding the request to? I guess if the client
> has something malicious on it whatever it is will already know what
> the internal IP is and could pass that on if it could make use of
> it... moot point?
>
> On Tue, Nov 17, 2009 at 3:52 PM, CunningPike <cunningpike@gmail.com>
> wrote:
> > On Tue, Nov 17, 2009 at 11:52 AM, inetjunkmail <inetjunkmail@gmail.com>
> > wrote:
> >>
> >> We have an proxy server between our users and the Internet. The proxy
> >> server is explicitly configured in their browsers (not transparent).
> We'd
> >> like to use Snort with both VRT and Emerging rules to help identify
> bots.
> >> So I see two options:
> >>
> >> Put Snort outside proxy servers:
> >> Pro: Destination addresses are valid so they can be matched on by
> >> Emerging Bot rules
> >> Con: Internal user's IP is lost unless correlated against proxy logs
> since
> >> all source addresses are the proxy's external address
> >>
> >> Put Snort inside proxy servers:
> >> Pro: See the Internal client's IP address
> >> Con: All destination addresses are the proxy server since the
> destination
> >> web site is in the payload (not to mention the destination in the
> payload is
> >> likely a URL rather than IP)
> >>
> >> Is there any preprocessor or way to look at the traffic inside the proxy
> >> request and have the preprocessor pull the destination out and do a DNS
> >> lookup to identify the true destination IP before processing the rules?
> I
> >> understand the DNS overhead likely introduces too much delay; just
> looking
> >> for any possibilities.
> >>
> > We have a setup pretty close to yours - our IDS is downstream of the
> proxy.
> > If/when we get an alert, we inspect the X-Forwarded-For header to
> determine
> > the IP address of the host that originated the request.
> >
> > CP
> >
> >
> ------------------------------------------------------------------------------
> > Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> > trial. Simplify your report design, integration and deployment - and
> focus
> > on
> > what you do best, core application coding. Discover what's new with
> > Crystal Reports now. http://p.sf.net/sfu/bobj-july
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users@lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-- Joel Esler | 302-223-5974 | gtalk: jesler@sourcefire.com

------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july

_______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users