Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] snort and squid

from [Seth] Network Security [Permanent Link]
Subject: Re: [Snort-users] snort and squid
Date: Fri, 18 Jan 2008 13:18:46 -0500 
Helmut,

Did you also add 3128 to the http_inspect preprocessor?  ie:
http_inspect_server: server default profile all ports {80 3128}


-Seth

On Jan 18, 2008 10:14 AM, Helmut Schneider <jumper99@gmx.de> wrote:

Of course Snort will inspect the traffic.  However, to view the internal
ip, if the proxy
is rewriting the Source IP, then it's a limitation.

If your intention is other, please clarify.  I'm afraid I am not sure I
understand what
you are asking then.


It shouldn't matter if I inspect traffic from the proxy to the webserver or
from the client to the proxy, the content should be the same.

But - I put snort on the proxy and changed HTTP_PORTS to 3128. I use the
same snort.conf for the external sensor and for the sensor on the proxy.

Now, what happens is, that I hit certain rules (e.g. SHELLCODE x86 NOOP,
Invalid FTP Command, and some more, so the sensor itself is working fine)
but I do not hit the porn or policy rules. I can wireshark the traffic from
the client to the proxy, I see the words 'porn' or 'masturbate' or whatever
in cleartext but snort does not hit some rules at all.

At the same time the rules for porn or policy *are* hit on the external
sensor.

So now I wonder why the external sensor hits the rules while the sensor on
the proxy does not. Althought I use exactly the same snort.conf except of
HTTP_PORTS.

Hope that clarifies. :)

Helmut



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] snort and squid, Helmut Schneider
Next by Date:  Re: [Snort-users] snort and squid, Helmut Schneider
Previous by Thread:  Re: [Snort-users] snort and squid, Helmut Schneider
Next by Thread:  Re: [Snort-users] snort and squid, Helmut Schneider
Indexes:  [Date] [Thread] [Top] [All Lists]