Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] snort and squid

from [Joel Esler] Network Security [Permanent Link]
Subject: Re: [Snort-users] snort and squid
Date: Fri, 18 Jan 2008 09:09:21 -0500
Of course Snort will inspect the traffic. However, to view the internal ip, if the proxy is rewriting the Source IP, then it's a limitation.

If your intention is other, please clarify. I'm afraid I am not sure I understand what you are asking then.

Joel

On Jan 18, 2008, at 4:26 AM, Helmut Schneider wrote:

From: "Joel Esler" <joel.esler@sourcefire.com>

You have two options. Correlate the events with the logs from your Squid
proxy, or move the Snort sensor inside the proxy. 

The second sensor *is* on the proxy.

Sometimes (and right now I can't remember if Squid does it) it will add a
header to the http that says "X-Forwarded-For" or similar that 

X-Forwared-For is disabled of course. :)

will have the IP of the actual client. However, like I said, I can't
remember if Squid does that for you, and that would be the only way that
you can see the IP behind the proxy.

So, snort (or the current ruleset) is not able to inspect certain squid
traffic? As I replied to Paul, some things are caught (e.g. SHELLCODE x86
NOOP, Invalid FTP Command, and some more) but not the policy or porn
traffic.


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-users] HTTP_Inspect preproc question, Jorge Cuevas
Next by Date:  Re: [Snort-users] snort and squid, Helmut Schneider
Previous by Thread:  Re: [Snort-users] snort and squid, Helmut Schneider
Next by Thread:  Re: [Snort-users] snort and squid, Helmut Schneider
Indexes:  [Date] [Thread] [Top] [All Lists]