[Bro] How to detect transparent proxy by BRO IDS (2.4.1)

James Lay jlay at slave-tothe-box.net
Tue Oct 25 12:37:13 PDT 2016


On 2016-10-25 13:02, Johanna Amann wrote:
> Hi Hafiz,
> 
> there is no reason why Bro should not log HTTP sessions when there is a
> transparent proxy (which, as the name suggest, should also be 
> transparent
> to Bro). Hence I assume there is something different going on.
> 
> Do your conn.log entries look like Bro sees entire TCP sessions?
> 
> Johanna
> 
> On Mon, Oct 24, 2016 at 09:36:08AM +0500, Hafiz Shafiq wrote:
>> Sir,
>> Our network administrator is using proxy in transparent mode (SQUID). 
>> In
>> this mode , there is no need for user to configure proxy option on his
>> computer. I have captured few hours traffic via tcpdump and when I run 
>> bro,
>> to know about http trafffic and defferent apps used (like google, 
>> youtube
>> etc.). I am amazed to know that there is even not http.log and
>> app_stats.log files generated. Is it some problem in bro 
>> configuration. I
>> have searched from its manual, infomation given about proxy could not 
>> solve
>> my problem. I have checked load_scripts.log. I shows that http 
>> analyzer is
>> loaded.
>> Can you please guide me about this issue ?
>> 
>> Regards
>> 
>> Hafiz Muhammad Shafiq
> 
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

FWIW I do this at home with squid.  If you have bro listening on the 
external and internal as I do you'll see something like this on the 
external:

2016-10-25T13:19:54-0600        CSBm181DwlSMeM1Jkl      ext.ip.address   
  35292   151.101.52.246  80      1       GET     i.scdn.co       
/image/bfe99c49e55b1b0881da51b6820051673071c34e -       Spotify/6.3.0  
Android/22 (LG-ls990)    0       94040   200     OK      -       -       
-       (empty) -       -       VIA -> 1.1 gateway 
(squid/3.5.22),X-FORWARDED-FOR -> 192.168.1.101      -       -       
F898pvpKI8FAldYVb       image/jpeg      -

If you're only listening internal, you may not have any evidence to show 
proxied information:

2016-10-25T13:19:54-0600        CKUVZB4Buv5shQEfre      192.168.1.101   
45741   151.101.52.246  80      1       GET     i.scdn.co       
/image/bfe99c49e55b1b0881da51b6820051673071c34e -       Spotify/6.3.0  
Android/22 (LG-ls990)    0       94040   200     OK      -       -       
-       (empty) -       -       -      --       FIcIh42olruCzFTJgl      
image/jpeg      -

Hope that helps.

James


More information about the Bro mailing list