Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] Alert on contents of proxy traffic

from [Gould, Scott] Network Security [Permanent Link]
Subject: Re: [Snort-users] Alert on contents of proxy traffic
Date: Mon, 26 Nov 2007 14:12:17 -0500 
 Thanks for the info and explanation Will. 


I did a little more testing and thought I would mention what I found in
case it makes any difference.

Turns out the traffic between the internal http proxy and users is
alerted on if I remove ONLY the "established" part of the rule flow
option.  

Also, the proxy is a linux based McAfee SCM appliance that uses the
built-in mozilla/firefox/IE client side proxy settings.  

I also noticed that if I do define a default http_inspect_server config
line, then even with the "established" part of the rule flow option
used, the IDS does NOT alert on the traffic. 

Aka, if I do NOT define a default http_inspect_server config line, AND I
remove the "established" part of the rule flow option, then the traffic
between the internal http proxy and users is alerted on, as I would
like.  Now, I can't really go through all rules and remove the
established portion of the flow section.  I did define some
http_inspect_server config lines for our internal webservers.  

Does any of the above offer any ideas as to what I could tweak other
than every single rule that I want to be alerted on?

Would creating a custom http_inspect_server config line for the internal
http proxy server perhaps allow this traffic to be alerted on?  Any
ideas on what options to use if this is the route to go?



-----Original Message-----
From: Will Metcalf [mailto:william.metcalf@gmail.com] 
Sent: Monday, November 26, 2007 12:10 PM
To: Gould, Scott
Cc: Snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] Alert on contents of proxy traffic

Well first off you are not going to see very much of the payload
returned from an external webserver because of the default flow_depth in
http_inspect.  You can set flow_depth to 0 to see the entire payload at
the expense of deep sixing your IDS.  In addition if you are wrapping
requests inside of a Winsock proxy client (ISA Server) snort may not
fire because it does not know how to decode this protocol.

Regards,

Will

On Nov 26, 2007 10:47 AM, Gould, Scott <scott.gould@gogstats.org> wrote:

Thanks for the prompt reply

Snort version 2.4.5
Proxy runs on port 80

An example rule would be just about any web content.  For example, a 
rule that triggers on the outside between the internal proxy server 
and external webservers with the following options:

 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Test 
Phrase"; content:"test Phrase"; nocase; 
flow:to_client,established;...........

Would only trigger on the inside between the internal client and 
internal http proxy server, if I remove the flow info:

 alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"Test 
Phrase"; content:"test Phrase"; nocase; 
......................................


For testing purposes I have set the $EXTERNAL_NET and $HOME_NET to

any.


BTW, there are 2 different snort instances here.  But, other than 
server specific settings for some of the preprocessors (servers which 
are not involved in this scenario), the configs are the same for 
testing purposes.

Scott




-----Original Message-----
From: rmkml [mailto:rmkml@free.fr]
Sent: Monday, November 26, 2007 9:00 AM
To: Gould, Scott
Cc: rmkml@free.fr
Subject: Re: [Snort-users] Alert on contents of proxy traffic

Hi Scott,
what snort version you use please ?
maybe send example (traffic/alert) ?
and send snort.conf ?
what port on your proxy please ? (81 ? 3128 ? 8000 ? 8080 ?) 
Interesting think with snort 280 and port var features !
Best Regards
Rmkml


On Mon, 26 Nov 2007, Gould, Scott wrote:


Date: Mon, 26 Nov 2007 11:29:31 -0500
From: "Gould, Scott" <scott.gould@gogstats.org>
To: Snort-users@lists.sourceforge.net
Subject: [Snort-users] Alert on contents of proxy traffic




Here is the setup:

Snort listening on traffic flowing between internal users and http 
proxy.  Snort listening on traffic flowing between internal proxy 
and external web servers.  As anticipated, many rules are triggered 
on the



traffic between the internal proxy and the external web servers.  
BUT,



same rules are not triggered on same traffic between the http proxy 
and the internal users.

What I am trying to achieve is see an alert between the internal 
http proxy and external webservers, and correlate to an alert on the



same traffic, but as it flows between the internal users and the 
internal http proxy.  For some reason, only the outside traffic is 
triggering the alert.  To confirm snort and variables are setup 
correctly for testing so that I should see alerts, I confirmed can 
trigger rules on ICMP traffic between the internal http proxy and

the internal users.


It appears that the proxy is doing something to the traffic as it 
flows between the internal http proxy and the users, so that is not 
detected by snort rules.

Any thoughts or suggestions on where to start tinkering?

Thanks in advance,

Scott

Scott Gould

Senior Network & Systems Analyst
Gynecologic Oncology Group
Statistical & Data Center
scott.gould@gogstats.org
716-845-5702

This email message may contain legally privileged and/or 
confidential information. If you are not the intended recipient(s), 
or the employee



or agent responsible for the delivery of this message to the 
intended recipient(s), you are hereby notified that any disclosure, 
copying, distribution, or use of this email message is prohibited. 
If you have received this message in error, please notify the sender



immediately by e-mail and delete this email message from your

computer. Thank you.



<mailto:'Snort-users@lists.sourceforge.net'>




----------------------------------------------------------------------
--- This SF.net email is sponsored by: Microsoft Defy all challenges. 
Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Snort-users Digest, Vol 18, Issue 15, M. Shirk
Next by Date:  [Snort-users] snort decode warning tcp data offset is less than 5, The New York NOC Inc.
Previous by Thread:  Re: [Snort-users] Alert on contents of proxy traffic, Will Metcalf
Next by Thread:  Re: [Snort-users] Snort-users Digest, Vol 18, Issue 15, rclifton
Indexes:  [Date] [Thread] [Top] [All Lists]