Snort mailing list archives
Really cheeky feature request
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Thu, 10 Jun 2004 13:24:49 +1200
We run our outgoing Web traffic through proxy servers, so a problem our IDS faces (at the edge of our networks) is that any outgoing Web-related events all come from the proxy server IP addresses (which are inside our network) instead of the actual workstations. Most proxy servers have an option to contain the IP address of the originating client in a "X-Forwarded-For:" HTTP header... (and here's the cheeky bit). What would be nice is if Snort could have a new rule option that allowed it to report the *first* IP address shown in the "X-Forwarded-For:" header as the source address instead of IP of the proxy. i.e. Snort would trigger just as if the network didn't have proxy servers and just allowed outgoing traffic. If it was a rule option, then it could be enabled on a rule-by-rule basis. e.g. "web_proxied_src: on" tells snort to report the last IP address shown in the "X-Forwarded-For" header (if present) instead of the actual IP address. Currently, to track down a Web based event involves either having "full" logging enabled and going through the records (looking for X-Forwarded-For) - or going to the proxy server logs and trying to filter the event out of that lot - not exactly "real time", and such actions will easily cross ownership boundaries in larger companies (i.e. the IDS team will have to brush their hair and go talk to the server team ;-). Obviously this could win the award for the "Most Stupid Request" for the year - but hey - you've gotta shake those boundaries now and then ;-) PS: a more consistant approach might be if there was a way to grab details out of the packet (say via pcre) and put them into a variable that you can put into "msg:" fields? e.g. alert tcp any any -> any 80 (msg:"Bad activity from $1"; \ content:"X-Forewarded-For:"; pcre:"/^X-Forewarded-For:[\s]+([^\s]+)/sm";) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Really cheeky feature request Jason Haar (Jun 09)