Thanks for the prompt reply
Snort version 2.4.5
Proxy runs on port 80
An example rule would be just about any web content. For example, a
rule that triggers on the outside between the internal proxy server and
external webservers with the following options:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Test
Phrase"; content:"test Phrase"; nocase;
flow:to_client,established;...........
Would only trigger on the inside between the internal client and
internal http proxy server, if I remove the flow info:
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Test
Phrase"; content:"test Phrase"; nocase;
......................................
For testing purposes I have set the $EXTERNAL_NET and $HOME_NET to any.
BTW, there are 2 different snort instances here. But, other than server
specific settings for some of the preprocessors (servers which are not
involved in this scenario), the configs are the same for testing
purposes.
Scott
-----Original Message-----
From: rmkml [mailto:rmkml@free.fr]
Sent: Monday, November 26, 2007 9:00 AM
To: Gould, Scott
Cc: rmkml@free.fr
Subject: Re: [Snort-users] Alert on contents of proxy traffic
Hi Scott,
what snort version you use please ?
maybe send example (traffic/alert) ?
and send snort.conf ?
what port on your proxy please ? (81 ? 3128 ? 8000 ? 8080 ?) Interesting
think with snort 280 and port var features !
Best Regards
Rmkml
On Mon, 26 Nov 2007, Gould, Scott wrote:
Date: Mon, 26 Nov 2007 11:29:31 -0500
From: "Gould, Scott" <scott.gould@gogstats.org>
To: Snort-users@lists.sourceforge.net
Subject: [Snort-users] Alert on contents of proxy traffic
Here is the setup:
Snort listening on traffic flowing between internal users and http
proxy. Snort listening on traffic flowing between internal proxy and
external web servers. As anticipated, many rules are triggered on the
traffic between the internal proxy and the external web servers. BUT,
same rules are not triggered on same traffic between the http proxy
and the internal users.
What I am trying to achieve is see an alert between the internal http
proxy and external webservers, and correlate to an alert on the same
traffic, but as it flows between the internal users and the internal
http proxy. For some reason, only the outside traffic is triggering
the alert. To confirm snort and variables are setup correctly for
testing so that I should see alerts, I confirmed can trigger rules on
ICMP traffic between the internal http proxy and the internal users.
It appears that the proxy is doing something to the traffic as it
flows between the internal http proxy and the users, so that is not
detected by snort rules.
Any thoughts or suggestions on where to start tinkering?
Thanks in advance,
Scott
Scott Gould
Senior Network & Systems Analyst
Gynecologic Oncology Group
Statistical & Data Center
scott.gould@gogstats.org
716-845-5702
This email message may contain legally privileged and/or confidential
information. If you are not the intended recipient(s), or the employee
or agent responsible for the delivery of this message to the intended
recipient(s), you are hereby notified that any disclosure, copying,
distribution, or use of this email message is prohibited. If you have
received this message in error, please notify the sender immediately
by e-mail and delete this email message from your computer. Thank you.
<mailto:'Snort-users@lists.sourceforge.net'>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
