Snort mailing list archives
Re: https and http_inspect gives *many* false positives
From: Jason <security () brvenik com>
Date: Mon, 12 Jan 2004 20:39:38 -0500
Jason Haar wrote:
On Tue, 2004-01-13 at 12:48, Edward van der Jagt wrote:But I still would like to know if something unwanted is travelling through my proxy servers. If http_inspect is disabled for port 80, non-HTTPS requests will then be missed by the preprocessor. So if someone is attacking a server, internal (WAN) or external (Internet) by using some url based attack which http_inspect should detect, this url request will be made through the proxy (firewalls block direct access). Disabling the preprocessor is therefore not a desirable option.All that only applies to internal attackers - correct? I mean your proxy server is only accessible by internal users isn't it? So do you really want to put up with this problem and the LARGE number of false positives you WILL see just so that you can discover if an internal user is attempting to break a Web server via your proxy? [I'm not saying that's a bad thing - it's just that most IDS people are only interested in external baddies - not internal] Anyway, as this is a preprocessor, I think you're out of luck. If these alerts were caused by "alert" rules, you could simply put a "pass" rule above them saying something like "ignore port 80 connections starting with the string CONNECT" - which would cause HTTPS proxied queries to be ignored, and the rest to be still analysed. However, as this is a preprocessor, such logic does not apply.
have a look at http://www.snort.org/docs/snort_manual/node19.html suppress gen_id 119, sig_id 1, track by_dst, ip [private_proxy_ip/32] suppress gen_id 119, sig_id 2, track by_dst, ip [private_proxy_ip/32] suppress gen_id 119, sig_id 3, track by_dst, ip [private_proxy_ip/32]You would be ignoring events from internal clients to your proxy server but anything destined for the public address as a dst would still alert, you should still catch the questionable requests passed by the proxy to the internet or internal servers. Likewise, you could ignore them with a src of your local net and only see items from off net or your public address for the proxy. It is not a perfect solution but better then nothing. You should also look at using inspect_uri_only, it may be appropriate for this proxy server.
------------------------------------------------------- This SF.net email is sponsored by: Perforce Software. Perforce is the Fast Software Configuration Management System offering advanced branching capabilities and atomic changes on 50+ platforms. Free Eval! http://www.perforce.com/perforce/loadprog.html _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- https and http_inspect gives *many* false positives Edward van der Jagt (Jan 12)
- Re: https and http_inspect gives *many* false positives Jason Haar (Jan 12)
- <Possible follow-ups>
- Re: https and http_inspect gives *many* false positives Edward van der Jagt (Jan 12)
- Re: https and http_inspect gives *many* false positives Jason Haar (Jan 12)
- Re: https and http_inspect gives *many* false positives Jason (Jan 12)
- Re: https and http_inspect gives *many* false positives Jason Haar (Jan 12)
- Re: https and http_inspect gives *many* false positives Edward van der Jagt (Jan 13)