Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] snort and squid

from [Helmut Schneider] Network Security [Permanent Link]
Subject: Re: [Snort-users] snort and squid
Date: Thu, 17 Jan 2008 16:17:41 +0100 
From: "Paul Melson" <pmelson@gmail.com>


I'm using snort 2.7 on two machines, one at a hub next to the router
and the firewall and since yesterday a second sensor on my proxy
(squid). All web-traffic must go through the proxy.
The first sensor gives information about e.g. that one uses google
desktop but does not say which client (of course, as source is the
proxy). So I installed snort as a second sensor on the proxy but
without success. The alerts the first sensors finds are not found on
the second sensor (the squid protocol might differ from HTTP).

Is there a way to configure snort to reveal which exact client "breaks"
policies?


Add 3128 to HTTP_PORTS in your snort.conf.  All of your HTTP rules
will be looking on port 80 and the traffic to thw proxy is on 3128.


Still no luck. I get tons of 'http_inspect', lots of 'icmp' stuff, but no 
single 'porn', 'Google Desktop', ... is caught (while on the external sensor 
it is; and I use the same configuration as on the external sensor and only 
changed EXTERNAL_NET).

var HOME_NET [192.168.0.0/24,192.168.1.0/24,192.168.2.0/24]
var EXTERNAL_NET any
#var EXTERNAL_NET 192.168.1.70/32
[...]
var HTTP_SERVERS $HOME_NET
[...]
var WWW_SERVERS $HOME_NET
[...]
var HTTP_PORTS 3128
[...]
var RULE_PATH /usr/local/etc/snort/rules
[...]
[...]
preprocessor http_inspect: global iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: \
    server default \
    apache_whitespace no \
    ascii no \
    bare_byte no \
    chunk_length 500000 \
    flow_depth 1460 \
    directory no \
    double_decode no \
    iis_backslash no \
    iis_delimiter no \
    iis_unicode no \
    multi_slash no \
    non_strict \
    oversize_dir_length 500 \
    ports { 80 2301 3128 8000 8080 8180 8888 } \
    u_encode yes \
    non_rfc_char { 0x00 0x01 0x02 0x03 0x04 0x05 0x06 0x07 } \
    webroot no
[...]
include $RULE_PATH/policy.rules
include $RULE_PATH/porn.rules
[...] 


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] snort and squid, Paul Melson
Next by Date:  Re: [Snort-users] snort and squid, Joel Esler
Previous by Thread:  Re: [Snort-users] snort and squid, Paul Melson
Next by Thread:  Re: [Snort-users] snort and squid, Joel Esler
Indexes:  [Date] [Thread] [Top] [All Lists]