Snort mailing list archives
tranparent proxy client IP not showing in alert
From: Trembly.MaryEtta <Trembly.MaryEtta () ensco com>
Date: Tue, 1 May 2012 10:40:09 -0400
We have an issue with configuring snort to alert on the client side of a transparently proxied web connection. We are mirroring the client side of the connection to an interface on our snort sensor. It seems we should see alerts showing the client IP but the alerts we see are only showing the proxy IP. If we tell snort to ignore the proxy IP, we do not get any alerts. Using tcpdump we are able to extract packets that show the source IP as the client and dest IP as the external web server...the same way the client sees the traffic. Shouldn't snort be able to alert on these packets while ignoring the web proxy IP? We are aware of an enable_xff option for snort to extract the X-Forward record; unfortunately barnyard2 is not able to extract the Original Client info to send to the database on any version of snort newer than 9.1.0.5. This version of snort is too old for our use. I believe snort is actually following the MAC Address and matching it to the web proxy IP, and ignoring the packets because it can match the MAC to the proxy. The captured packets that show the client talking "directly" to the external web server IP have the mac address of the web proxy, that is how the packets get transferred through the web proxy. Is there a way to tell snort not to try to match the MAC to IP? M.E.T. ________________________________ The information contained in this email message is intended only for the use of the individual(s) to whom it is addressed and may contain information that is privileged and sensitive. If you are not the intended recipient, or otherwise have received this communication in error, please notify the sender immediately by email at the above referenced address and note that any further dissemination, distribution or copying of this communication is strictly prohibited. The U.S. Export Control Laws regulate the export and re-export of technology originating in the United States. This includes the electronic transmission of information and software to foreign countries and to certain foreign nationals. Recipient agrees to abide by these laws and their regulations -- including the U.S. Department of Commerce Export Administration Regulations and the U.S. Department of State International Traffic in Arms Regulations -- and not to transfer, by electronic transmission or otherwise, any content derived from this email to either a foreign national or a foreign destination in violation of such laws.
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- tranparent proxy client IP not showing in alert Trembly . MaryEtta (May 01)