[Bro] Sensor placement with presence of web proxies

Martin Holste mcholste at gmail.com
Thu Jan 26 13:54:35 PST 2012

Our org is looking at using web proxies without changing settings on
the client.  This can involve using Cisco's WCCP or policy-based
routing to marshal traffic that would normally go to the Internet to a
proxy.  As I understand it, the proxy makes the request, returns the
response to the router, and the router returns the response to the
client.  My question is if anyone has run into problems with a tap or
span on the side of the router closest to the client.  That is, does
the proxy change the traffic enough to interfere?  It seems
nonsensical to put the sensor at the edge of the network since the
requests will have the source IP of the proxy, not the actual client,
but that means that the traffic the IDS inspects will be inauthentic
versus what the remote host on the Internet actually sent.
Theoretically, it should be the same traffic, but I'm wondering if
anyone can confirm that.  I'm especially concerned with appliances
that reorder or normalize HTTP headers, etc.



More information about the Bro mailing list