[Bro] Determining remote proxy servers using Bro.
Johanna Amann
johanna at icir.org
Wed Aug 3 12:42:32 PDT 2016
Hi Fatema,
one idea would be to look if the used proxy servers set a header like,
X-Forwarded-For (https://en.wikipedia.org/wiki/X-Forwarded-For). If such a
header is present, you already might have an entry in the proxied column
of http.log.
I hope this helps,
Johanna
On Fri, Jul 29, 2016 at 02:17:37PM -0400, fatema bannatwala wrote:
> Hi,
>
> Recently we have seen an uptick in use of proxy servers to login to the
> accounts from people living in China. And since the connection appears to
> come from US based IP address (probably a proxy) they go un-flagged by the
> IDS/IPS devices, as they see normal logins from United States IP addresses.
> So my question is, is there a way to determine that the incoming connection
> from an IP is actually a proxy server's IP, by looking at some unique
> patterns in data collected by IDS/IPS devices? and if so can we do it using
> Bro?
>
> Thanks,
> Fatema.
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list