Snort mailing list archives
Re: Snort on proxy (outbound alerts)
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Fri, 18 Jan 2013 14:12:10 -0500
Without using a transparent proxy, your only options are to monitor "Proxy <-> Client" or "Proxy <-> Outside" or both. You can't merger the two together because they are different sessions. If you monitor both and have a SIEM you can sometimes "merge" the SIEM alerts together if the SIEM is collecting alerts from both sensors and the proxy. On Fri, Jan 18, 2013 at 1:51 PM, T. R <joga3.web () gmail com> wrote:
I cannot run a transparent proxy. You got it, I want to be alerted about my LAN. Already thought about BPF filters, but what you are forgetting, is that some rules are made to match on some DESTINATIONS. In my case, the destination for my clients' HTTP traffic will always be my proxy. Something interesting, would be if snort could look at the CONNECT method in my HTTP requests (for example). T. 2013/1/18 waldo kitty <wkitty42 () windstream net>On 1/18/2013 06:50, J. H wrote:Hi, Thank you for answering. Only one interface on my proxy machine. SQUID/Snort listenin on the same one.some might consider that to be part of the problem... it sounds like what you want is for snort to be listening only to your internal machines... you might be able to use a bpf to block out alerts concerning your proxy... ------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and much more. Get web development skills now with LearnDevNow - 350+ hours of step-by-step video tutorials by Microsoft MVPs and experts. SALE $99.99 this month only -- learn more at: http://p.sf.net/sfu/learnmore_122812 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Snort on proxy (outbound alerts) Thibaud Raso (Jan 18)
- Re: Snort on proxy (outbound alerts) Balasubramaniam Natarajan (Jan 18)
- Re: Snort on proxy (outbound alerts) J. H (Jan 18)
- Re: Snort on proxy (outbound alerts) Balasubramaniam Natarajan (Jan 18)
- Re: Snort on proxy (outbound alerts) waldo kitty (Jan 18)
- Re: Snort on proxy (outbound alerts) T. R (Jan 18)
- Re: Snort on proxy (outbound alerts) Jason Wallace (Jan 18)
- Re: Snort on proxy (outbound alerts) Jason Wallace (Jan 18)
- Re: Snort on proxy (outbound alerts) Joel Esler (Jan 18)
- Re: Snort on proxy (outbound alerts) Jason Wallace (Jan 18)
- Re: Snort on proxy (outbound alerts) J. H (Jan 18)
- Re: Snort on proxy (outbound alerts) Balasubramaniam Natarajan (Jan 18)