tranparent proxy client IP not showing in alert

[Trembly.MaryEtta <Trembly.MaryEtta () ensco com>]

We have an issue with configuring snort to alert on the client side of a transparently proxied web connection. We are 
mirroring the client side of the connection to an interface on our snort sensor.

It seems we should see alerts showing the client IP but the alerts we see are only showing the proxy IP.  If we tell 
snort to ignore the proxy IP, we do not get any alerts. Using tcpdump we are able to extract packets that show the 
source IP as the client and dest IP as the external web server...the same way the client sees the traffic. Shouldn't 
snort be able to alert on these packets while ignoring the web proxy IP?

We are aware of an enable_xff option for snort to extract the X-Forward record; unfortunately barnyard2 is not able to 
extract the Original Client info to send to the database on any version of snort newer than 9.1.0.5. This version of 
snort is too old for our use.

I believe snort is actually following the MAC Address and matching it to the web proxy IP, and ignoring the packets 
because it can match the MAC to the proxy. The captured packets that show the client talking "directly" to the external 
web server IP have the mac address of the web proxy, that is how the packets get transferred through the web proxy.

Is there a way to tell snort not to try to match the MAC to IP?

M.E.T.


________________________________
The information contained in this email message is intended only for the use of the individual(s) to whom it is 
addressed and may contain information that is privileged and sensitive. If you are not the intended recipient, or 
otherwise have received this communication in error, please notify the sender immediately by email at the above 
referenced address and note that any further dissemination, distribution or copying of this communication is strictly 
prohibited.

The U.S. Export Control Laws regulate the export and re-export of technology originating in the United States. This 
includes the electronic transmission of information and software to foreign countries and to certain foreign nationals. 
Recipient agrees to abide by these laws and their regulations -- including the U.S. Department of Commerce Export 
Administration Regulations and the U.S. Department of State International Traffic in Arms Regulations -- and not to 
transfer, by electronic transmission or otherwise, any content derived from this email to either a foreign national or 
a foreign destination in violation of such laws.

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!