Re: snort + squid proxy

[Tony Robinson <deusexmachina667 () gmail com>]

Leonardo,

Since I don't see any responses here, If you need to ignore a single IP
address for whatever reason, snort supports loading a BPF or Berkeley
packet filter, which is basically a rule stating what traffic will be
passed from the system interface to snort to inspect, or ignore by snort
entirely.

this page is a lifesaver for learning how to write your own BPFs:
http://biot.com/capstats/bpf.html

as for learning how to integrate a BPF into snort correctly, the snort
manual has information on that -- specifically, page 32 of the snort manual
specifies how to call a file with your BPF rules specified as well as the
-F option to the command line to call a file with your BPF rules as well.

Now, for the actual syntax itself.

If you want to ignore all traffic where the proxy is the source or the
destination, and say the proxy's ip address is 1.1.1.1, create a file and
name it something meaningful, such as bpf.conf. and in the file, input the
following:

not host 1.1.1.1

this reads: "inspect all traffic seen on the interface except where host
1.1.1.1 is the source or the destination; ignore that entirely."

if you want to be more specific, you can tell snort to ignore any traffic
where the proxy is the source of the traffic enter this:

not src host 1.1.1.1

this reads "inspect all traffic seen on the interface, except for traffic
where host 1.1.1.1  is the source of the traffic; ignore that entirely"

if you want to be tell snort to ignore traffic where the proxy is the
destination of the traffic, enter this:

not dst host 1.1.1.1

as you may have guessed, this reads: "inspect all traffic seen on this
interface, except for traffic where host 1.1.1.1 is the destination of the
traffic; ignore that entirely"

save your file and using either the -F or the config_bpf directive in the
snort.conf, specify the path to the file you just made, and run snort.
snort should now be ignoring your proxy.

additional note:

BPF filters can be as simple or as complex as your imagine allows. this is
a very, very basic introduction. When I say we are going to ignore all
traffic to or from a given host, I mean that. all traffic, on any port,
using any protocol will be ignored. There are ways to make your bpf filters
more specific and tell snort to ignore a single port, or port range, etc.
but I will leave that to you. for now, this should give you the results you
wanted.

Sincerely,

DA


On Thu, Nov 22, 2012 at 1:10 PM, Leonardo Pezente <lmpezente () gmail com>wrote:

> well, i what to now how can i set snort to ignore one proxy server in the
> network? For what i know, snort will generate a lot of false positive
> because of the proxy.
> And there is any problem if i put the proxy in the same machine of the ids?
>
>
> ------------------------------------------------------------------------------
> Monitor your physical, virtual and cloud infrastructure from a single
> web console. Get in-depth insight into apps, servers, databases, vmware,
> SAP, cloud infrastructure, etc. Download 30-day Free Trial.
> Pricing starts from $795 for 25 servers or applications!
> http://p.sf.net/sfu/zoho_dev2dev_nov
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!



-- 
when does reality end? when does fantasy begin?

------------------------------------------------------------------------------
Monitor your physical, virtual and cloud infrastructure from a single
web console. Get in-depth insight into apps, servers, databases, vmware,
SAP, cloud infrastructure, etc. Download 30-day Free Trial.
Pricing starts from $795 for 25 servers or applications!
http://p.sf.net/sfu/zoho_dev2dev_nov

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!