Of course Snort will inspect the traffic. However, to view the internal
ip, if the proxy
is rewriting the Source IP, then it's a limitation.
If your intention is other, please clarify. I'm afraid I am not sure I
understand what
you are asking then.
It shouldn't matter if I inspect traffic from the proxy to the webserver or
from the client to the proxy, the content should be the same.
But - I put snort on the proxy and changed HTTP_PORTS to 3128. I use the
same snort.conf for the external sensor and for the sensor on the proxy.
Now, what happens is, that I hit certain rules (e.g. SHELLCODE x86 NOOP,
Invalid FTP Command, and some more, so the sensor itself is working fine)
but I do not hit the porn or policy rules. I can wireshark the traffic from
the client to the proxy, I see the words 'porn' or 'masturbate' or whatever
in cleartext but snort does not hit some rules at all.
At the same time the rules for porn or policy *are* hit on the external
sensor.
So now I wonder why the external sensor hits the rules while the sensor on
the proxy does not. Althought I use exactly the same snort.conf except of
HTTP_PORTS.
Hope that clarifies. :)
Helmut
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
