[Bro] Determining remote proxy servers using Bro.
fatema.bannatwala at gmail.com
Thu Aug 4 13:07:15 PDT 2016
Didn't realized that the "Proxied" field in http.log serves the purpose.
Thanks for the suggestion.
On Wed, Aug 3, 2016 at 3:42 PM, Johanna Amann <johanna at icir.org> wrote:
> Hi Fatema,
> one idea would be to look if the used proxy servers set a header like,
> X-Forwarded-For (https://en.wikipedia.org/wiki/X-Forwarded-For). If such a
> header is present, you already might have an entry in the proxied column
> of http.log.
> I hope this helps,
> On Fri, Jul 29, 2016 at 02:17:37PM -0400, fatema bannatwala wrote:
> > Hi,
> > Recently we have seen an uptick in use of proxy servers to login to the
> > accounts from people living in China. And since the connection appears to
> > come from US based IP address (probably a proxy) they go un-flagged by
> > IDS/IPS devices, as they see normal logins from United States IP
> > So my question is, is there a way to determine that the incoming
> > from an IP is actually a proxy server's IP, by looking at some unique
> > patterns in data collected by IDS/IPS devices? and if so can we do it
> > Bro?
> > Thanks,
> > Fatema.
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Bro