|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Joel Esler (joel.esler
sourcefire.com)
Date: Thu Jan 17 2008 - 09:36:29 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
You have two options. Correlate the events with the logs from your
Squid proxy, or move the Snort sensor inside the proxy.
Sometimes (and right now I can't remember if Squid does it) it will
add a header to the http that says "X-Forwarded-For" or similar that
will have the IP of the actual client. However, like I said, I can't
remember if Squid does that for you, and that would be the only way
that you can see the IP behind the proxy.
Joel
On Jan 17, 2008, at 5:46 AM, Helmut Schneider wrote:
> Hi,
>
> I'm using snort 2.7 on two machines, one at a hub next to the router
> and the
> firewall and since yesterday a second sensor on my proxy (squid). All
> web-traffic must go through the proxy.
> The first sensor gives information about e.g. that one uses google
> desktop
> but does not say which client (of course, as source is the proxy).
> So I
> installed snort as a second sensor on the proxy but without success.
> The
> alerts the first sensors finds are not found on the second sensor
> (the squid
> protocol might differ from HTTP).
>
> Is there a way to configure snort to reveal which exact client
> "breaks"
> policies?
>
> Thanks, Helmut
>
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Microsoft
> Defy all challenges. Microsoft(R) Visual Studio 2008.
> http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]