[Bro] Determining remote proxy servers using Bro.

fatema bannatwala fatema.bannatwala at gmail.com
Thu Aug 4 13:07:15 PDT 2016


Thanks Johanna,

Didn't realized that the "Proxied" field in http.log serves the purpose.
Thanks for the suggestion.

-Fatema

On Wed, Aug 3, 2016 at 3:42 PM, Johanna Amann <johanna at icir.org> wrote:

> Hi Fatema,
>
> one idea would be to look if the used proxy servers set a header like,
> X-Forwarded-For (https://en.wikipedia.org/wiki/X-Forwarded-For). If such a
> header is present, you already might have an entry in the proxied column
> of http.log.
>
> I hope this helps,
>  Johanna
>
> On Fri, Jul 29, 2016 at 02:17:37PM -0400, fatema bannatwala wrote:
> > Hi,
> >
> > Recently we have seen an uptick in use of proxy servers to login to the
> > accounts from people living in China. And since the connection appears to
> > come from US based IP address (probably a proxy) they go un-flagged by
> the
> > IDS/IPS devices, as they see normal logins from United States IP
> addresses.
> > So my question is, is there a way to determine that the incoming
> connection
> > from an IP is actually a proxy server's IP, by looking at some unique
> > patterns in data collected by IDS/IPS devices? and if so can we do it
> using
> > Bro?
> >
> > Thanks,
> > Fatema.
>
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20160804/46e39f01/attachment.html 


More information about the Bro mailing list