Re: Snort on proxy (outbound alerts)

[Jason Wallace <jason.r.wallace () gmail com>]

Without using a transparent proxy, your only options are to monitor
"Proxy <-> Client" or "Proxy <-> Outside" or both. You can't merger
the two together because they are different sessions. If you monitor
both and have a SIEM you can sometimes "merge" the SIEM alerts
together if the SIEM is collecting alerts from both sensors and the
proxy.

On Fri, Jan 18, 2013 at 1:51 PM, T. R <joga3.web () gmail com> wrote:
> I cannot run a transparent proxy.
>
> You got it, I want to be alerted about my LAN.
> Already thought about BPF filters, but what you are forgetting, is that some
> rules are made to match on some DESTINATIONS. In my case, the destination
> for my clients' HTTP traffic will always be my proxy.
> Something interesting, would be if snort could look at the CONNECT method in
> my HTTP requests (for example).
>
> T.
>
>
> 2013/1/18 waldo kitty <wkitty42 () windstream net>
> > On 1/18/2013 06:50, J. H wrote:
> > > Hi,
> > >
> > > Thank you for answering.
> > >
> > > Only one interface on my proxy machine.
> > >
> > > SQUID/Snort listenin on the same one.
> >
> > some might consider that to be part of the problem... it sounds like what
> > you
> > want is for snort to be listening only to your internal machines... you
> > might be
> > able to use a bpf to block out alerts concerning your proxy...
> >
> >
> >
> >
> > ------------------------------------------------------------------------------
> > Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
> > much more. Get web development skills now with LearnDevNow -
> > 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
> > SALE $99.99 this month only -- learn more at:
> > http://p.sf.net/sfu/learnmore_122812
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort
> > news!
>
>
>
> ------------------------------------------------------------------------------
> Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
> much more. Get web development skills now with LearnDevNow -
> 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
> SALE $99.99 this month only -- learn more at:
> http://p.sf.net/sfu/learnmore_122812
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort
> news!

------------------------------------------------------------------------------
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!