[Bro] How to detect transparent proxy by BRO IDS (2.4.1)
James Lay
jlay at slave-tothe-box.net
Tue Oct 25 12:37:13 PDT 2016
On 2016-10-25 13:02, Johanna Amann wrote:
> Hi Hafiz,
>
> there is no reason why Bro should not log HTTP sessions when there is a
> transparent proxy (which, as the name suggest, should also be
> transparent
> to Bro). Hence I assume there is something different going on.
>
> Do your conn.log entries look like Bro sees entire TCP sessions?
>
> Johanna
>
> On Mon, Oct 24, 2016 at 09:36:08AM +0500, Hafiz Shafiq wrote:
>> Sir,
>> Our network administrator is using proxy in transparent mode (SQUID).
>> In
>> this mode , there is no need for user to configure proxy option on his
>> computer. I have captured few hours traffic via tcpdump and when I run
>> bro,
>> to know about http trafffic and defferent apps used (like google,
>> youtube
>> etc.). I am amazed to know that there is even not http.log and
>> app_stats.log files generated. Is it some problem in bro
>> configuration. I
>> have searched from its manual, infomation given about proxy could not
>> solve
>> my problem. I have checked load_scripts.log. I shows that http
>> analyzer is
>> loaded.
>> Can you please guide me about this issue ?
>>
>> Regards
>>
>> Hafiz Muhammad Shafiq
>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
FWIW I do this at home with squid. If you have bro listening on the
external and internal as I do you'll see something like this on the
external:
2016-10-25T13:19:54-0600 CSBm181DwlSMeM1Jkl ext.ip.address
35292 151.101.52.246 80 1 GET i.scdn.co
/image/bfe99c49e55b1b0881da51b6820051673071c34e - Spotify/6.3.0
Android/22 (LG-ls990) 0 94040 200 OK - -
- (empty) - - VIA -> 1.1 gateway
(squid/3.5.22),X-FORWARDED-FOR -> 192.168.1.101 - -
F898pvpKI8FAldYVb image/jpeg -
If you're only listening internal, you may not have any evidence to show
proxied information:
2016-10-25T13:19:54-0600 CKUVZB4Buv5shQEfre 192.168.1.101
45741 151.101.52.246 80 1 GET i.scdn.co
/image/bfe99c49e55b1b0881da51b6820051673071c34e - Spotify/6.3.0
Android/22 (LG-ls990) 0 94040 200 OK - -
- (empty) - - - -- FIcIh42olruCzFTJgl
image/jpeg -
Hope that helps.
James
More information about the Bro
mailing list