Re: Sensor placement with presence of web proxies

[Joel Esler <jesler () sourcefire com>]

"* enable_xff *
This option enables Snort to parse and log the original client IP present in the
X-Forwarded-For or True-Client-IP HTTP request headers along with the generated
events. The XFF/True-Client-IP Original client IP address is logged only with 
unified2 output and is not logged with console (-A cmg) output.

NOTE: The original client IP from XFF/True-Client-IP in unified2 logs can be viewed 
using the tool u2spewfoo. This tool is present in the tools/u2spewfoo directory of 
snort source tree."

README.http_inspect.

I don't know what OpenSource GUIs support this field in the unified2 file yet, the only GUI I know that supports it is 
ours (Sourcefire).  Dustin/Snorby?  Care to chime in here?

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Jan 26, 2012, at 6:06 PM, Jefferson, Shawn wrote:

> Oh, I should also say that I have used the multiple configs feature of snort, and created a config with my proxy 
> server tagged as EXTERNAL_NET.
>  
> Joel, how does the X-Forwarded-For header logging work?  One issue I have is that I see the IP of my proxy as the 
> source of alerts… and have to dig into the data to figure out what’s really happening.
>  
>  
> From: Joel Esler [mailto:jesler () sourcefire com] 
> Sent: Thursday, January 26, 2012 2:15 PM
> To: Jefferson, Shawn
> Cc: Martin Holste; <snort-users () lists sourceforge net>
> Subject: Re: [Snort-users] Sensor placement with presence of web proxies
>  
> We have the X-Forwarded-For (etc) header logging in Snort to deal with just this problem.
>  
> Saying that, I've seen a sensor deployed in both ways (inside the proxy and outside the proxy) inside the proxy 
> (client desktop side) is much preferred.
>  
> Also, saying that, make sure if your proxy does any proxying over some strange port, make sure it's in http_inspect 
> and HTTP_PORTS for now.
>  
> J
>
> On Thu, Jan 26, 2012 at 5:02 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com> wrote:
> Hi Martin,
>
> I have the exact configuration* you are describing, and I have wondered the same thing.  I do get alerts for 
> proxy-bound HTTP traffic, so I am fairly comfortable that detection is still working correctly.  I think I've even 
> asked the same question on this list with no answers.  I'm interested in verifying this as well.
>
> *We actually have two scenarios:
>
> 1. Explicit proxy configuration.
> 2. WCCP redirect of 80/443 traffic.
>
> Both seem to generate alerts from Snort still.
>
>
> -----Original Message-----
> From: Martin Holste [mailto:mcholste () gmail com]
> Sent: Thursday, January 26, 2012 1:54 PM
> To: <snort-users () lists sourceforge net>
> Subject: [Snort-users] Sensor placement with presence of web proxies
>
> Our org is looking at using web proxies without changing settings on the client.  This can involve using Cisco's WCCP 
> or policy-based routing to marshal traffic that would normally go to the Internet to a proxy.  As I understand it, 
> the proxy makes the request, returns the response to the router, and the router returns the response to the client.  
> My question is if anyone has run into problems with a tap or span on the side of the router closest to the client.  
> That is, does the proxy change the traffic enough to interfere?  It seems nonsensical to put the sensor at the edge 
> of the network since the requests will have the source IP of the proxy, not the actual client, but that means that 
> the traffic the IDS inspects will be inauthentic versus what the remote host on the Internet actually sent.
> Theoretically, it should be the same traffic, but I'm wondering if anyone can confirm that.  I'm especially concerned 
> with appliances that reorder or normalize HTTP headers, etc.
>
> Thanks,
>
> Martin
>
> ------------------------------------------------------------------------------
> Keep Your Developer Skills Current with LearnDevNow!
> The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, 
> SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
> ------------------------------------------------------------------------------
> Keep Your Developer Skills Current with LearnDevNow!
> The most comprehensive online learning library for Microsoft developers
> is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
> Metro Style Apps, more. Free future releases when you subscribe now!
> http://p.sf.net/sfu/learndevnow-d2d
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
>
>
>  
> -- 
> Joel Esler | http://blog.snort.org | http://vrt-blog.snort.org | 
> http://blog.clamav.net
> Twitter:  http://twitter.com/snort

------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!