Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Really cheeky feature request

From: Jason Haar <Jason.Haar () trimble co nz>
Date: Thu, 10 Jun 2004 13:24:49 +1200
We run our outgoing Web traffic through proxy servers, so a problem our IDS
faces (at the edge of our networks) is that any outgoing Web-related events
all come from the proxy server IP addresses (which are inside our network)
instead of the actual workstations.

Most proxy servers have an option to contain the IP address of the
originating client in a "X-Forwarded-For:" HTTP header... (and here's the
cheeky bit). What would be nice is if Snort could have a new rule option
that allowed it to report the *first* IP address shown in the
"X-Forwarded-For:" header as the source address instead of IP of the proxy.
i.e. Snort would trigger just as if the network didn't have proxy servers
and just allowed outgoing traffic.

If it was a rule option, then it could be enabled on a rule-by-rule basis.
e.g. "web_proxied_src: on" tells snort to report the last IP address shown
in the "X-Forwarded-For" header (if present) instead of the actual IP
address.

Currently, to track down a Web based event involves either having "full"
logging enabled and going through the records (looking for X-Forwarded-For)
- or going to the proxy server logs and trying to filter the event out of
that lot - not exactly "real time", and such actions will easily cross
ownership boundaries in larger companies (i.e. the IDS team will have to
brush their hair and go talk to the server team ;-).

Obviously this could win the award for the "Most Stupid Request" for the
year - but hey - you've gotta shake those boundaries now and then ;-)

PS: a more consistant approach might be if there was a way to grab details
out of the packet (say via pcre) and put them into a variable that you can
put into "msg:" fields? 

e.g. 

alert tcp any any -> any 80 (msg:"Bad activity from $1"; \
content:"X-Forewarded-For:"; pcre:"/^X-Forewarded-For:[\s]+([^\s]+)/sm";)


-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1


-------------------------------------------------------
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: