IDS mailing list archives
Re: x-forwarded-for an IDS capability
From: "Arian J. Evans" <arian.evans () anachronic com>
Date: Wed, 29 Apr 2009 09:00:22 -0700
The key here would be defining your HTTP "flow" more clearly (above the TCP flow level). You may need a specialized state bucket for HTTP, or at least a token correlation engine. ie- depending on what you are trying to do and how complex, like correlate this at a *user* level, you might need: 1. Define session and/or authorization token in HTTP 2. correlate that back to x-forward header, maintain state 3. and then correlate *those* to future actions e.g.-download. If you are not trying to correlate at user or session level, this might be much easier, and not really need HTTP state. Define what you are trying to do and I can give you a better idea of what capabilities exist today. Currently most "WAFs" offer capabilities like the above, and many of them are HTTP IDSes. Your open source WAF being Modsecurity. Multiple vendors announced "WAFs" stand-alone or in their IDS @ RSA this year, which should imply they have this ability, including 3COM/Tipping Point, NEC, ISS/IBM, Barracuda, etc. etc. Snort does not, today, offer this ability. I know of one project working to build this type of functionality into Snort 2.x as we speak, and I would be surprised if Snort 3.0 does not provide for this type of functionality, but that's speculative drivel on my part. Cheers, -- Arian Evans On Tue, Apr 28, 2009 at 9:27 PM, James <jimbob.coffey () gmail com> wrote:
Hi List, Does anyone know of an IDS vendor/or opensource product that has the capability of associating an ip address in an x-forwarded-for http header with an IDS event ? This includes events that fire on a download as well so there would need to be some kind of internal http state management. I notice this request from Jason Haars back in 2004 to the snort mailing list but I can't seem to find anything else on this in google http://archives.neohapsis.com/archives/snort/2004-06/0235.html thanks -- jac
Current thread:
- x-forwarded-for an IDS capability James (Apr 29)
- RE: x-forwarded-for an IDS capability Hellman, Matthew (Apr 29)
- Message not available
- RE: x-forwarded-for an IDS capability Hellman, Matthew (Apr 30)
- Re: x-forwarded-for an IDS capability Arian J. Evans (Apr 30)
- Message not available
- Message not available
- Fwd: x-forwarded-for an IDS capability Arian J. Evans (Apr 30)
- RE: x-forwarded-for an IDS capability Hellman, Matthew (Apr 29)