[Bro] Sensor placement with presence of web proxies

Russell Fulton r.fulton at auckland.ac.nz
Thu Jan 26 18:01:34 PST 2012


one thing I do with some of the snort stuff is to pull the packet contents and look for a 'X-FORWRDED-FOR' header.

Several of my automated scripts do this so this enables me to trace connections back through squid proxies with out problems.

If the proxies add such headers than you may be able to get a bro script to automatically pull the real IP and report that.

R

On 27/01/2012, at 10:54 AM, Martin Holste wrote:

> Our org is looking at using web proxies without changing settings on
> the client.  This can involve using Cisco's WCCP or policy-based
> routing to marshal traffic that would normally go to the Internet to a
> proxy.  As I understand it, the proxy makes the request, returns the
> response to the router, and the router returns the response to the
> client.  My question is if anyone has run into problems with a tap or
> span on the side of the router closest to the client.  That is, does
> the proxy change the traffic enough to interfere?  It seems
> nonsensical to put the sensor at the edge of the network since the
> requests will have the source IP of the proxy, not the actual client,
> but that means that the traffic the IDS inspects will be inauthentic
> versus what the remote host on the Internet actually sent.
> Theoretically, it should be the same traffic, but I'm wondering if
> anyone can confirm that.  I'm especially concerned with appliances
> that reorder or normalize HTTP headers, etc.
> 
> Thanks,
> 
> Martin
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro




More information about the Bro mailing list