Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] snort and squid

from [Helmut Schneider] Network Security [Permanent Link]
Subject: Re: [Snort-users] snort and squid
Date: Fri, 18 Jan 2008 10:26:51 +0100 
From: "Joel Esler" <joel.esler@sourcefire.com>


You have two options.  Correlate the events with the logs from your  Squid 
proxy, or move the Snort sensor inside the proxy.


The second sensor *is* on the proxy.


Sometimes (and right now I can't remember if Squid does it) it will  add a 
header to the http that says "X-Forwarded-For" or similar that


X-Forwared-For is disabled of course. :)


will have the IP of the actual client.  However, like I said, I can't 
remember if Squid does that for you, and that would be the only way  that 
you can see the IP behind the proxy.


So, snort (or the current ruleset) is not able to inspect certain squid 
traffic? As I replied to Paul, some things are caught (e.g. SHELLCODE x86 
NOOP, Invalid FTP Command, and some more) but not the policy or porn 
traffic. 


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] snort and squid, Joel Esler
Next by Date:  [Snort-users] Using antivirus with snort 2.8.x, carlopmart
Previous by Thread:  Re: [Snort-users] snort and squid, Joel Esler
Next by Thread:  Re: [Snort-users] snort and squid, Joel Esler
Indexes:  [Date] [Thread] [Top] [All Lists]