Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] Alert on contents of proxy traffic

from [Gould, Scott] Network Security [Permanent Link]
Subject: [Snort-users] Alert on contents of proxy traffic
Date: Mon, 26 Nov 2007 11:29:31 -0500 
Here is the setup:
 
Snort listening on traffic flowing between internal users and http
proxy.  Snort listening on traffic flowing between internal proxy and
external web servers.  As anticipated, many rules are triggered on the
traffic between the internal proxy and the external web servers.  BUT,
same rules are not triggered on same traffic between the http proxy and
the internal users.
 
What I am trying to achieve is see an alert between the internal http
proxy and external webservers, and correlate to an alert on the same
traffic, but as it flows between the internal users and the internal
http proxy.  For some reason, only the outside traffic is triggering the
alert.  To confirm snort and variables are setup correctly for testing
so that I should see alerts, I confirmed can trigger rules on ICMP
traffic between the internal http proxy and the internal users.
 
It appears that the proxy is doing something to the traffic as it flows
between the internal http proxy and the users, so that is not detected
by snort rules.  
 
Any thoughts or suggestions on where to start tinkering?
 
Thanks in advance,

Scott
 
Scott Gould

Senior Network & Systems Analyst
Gynecologic Oncology Group
Statistical & Data Center
scott.gould@gogstats.org
716-845-5702

This email message may contain legally privileged and/or confidential
information. If you are not the intended recipient(s), or the employee
or agent responsible for the delivery of this message to the intended
recipient(s), you are hereby notified that any disclosure, copying,
distribution, or use of this email message is prohibited. If you have
received this message in error, please notify the sender immediately by
e-mail and delete this email message from your computer. Thank you.

 
<mailto:'Snort-users@lists.sourceforge.net'>  
 

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-users] Aanval v3.3 Released (Snort and Syslog Correlation), Administration
Next by Date:  Re: [Snort-users] Alert on contents of proxy traffic, Gould, Scott
Previous by Thread:  [Snort-users] Aanval v3.3 Released (Snort and Syslog Correlation), Administration
Next by Thread:  Re: [Snort-users] Alert on contents of proxy traffic, Gould, Scott
Indexes:  [Date] [Thread] [Top] [All Lists]