Re: [Snort-users] snort and squid
This is a discussion on Re: [Snort-users] snort and squid within the Snort forums, part of the System Security and Security Related category; You have two options. Correlate the events with the logs from your Squid proxy, or move the Snort sensor inside ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-17-2008
|
|||
|
|||
Re: [Snort-users] snort and squid
You have two options. Correlate the events with the logs from your
Squid proxy, or move the Snort sensor inside the proxy. Sometimes (and right now I can't remember if Squid does it) it will add a header to the http that says "X-Forwarded-For" or similar that will have the IP of the actual client. However, like I said, I can't remember if Squid does that for you, and that would be the only way that you can see the IP behind the proxy. Joel On Jan 17, 2008, at 5:46 AM, Helmut Schneider wrote: > Hi, > > I'm using snort 2.7 on two machines, one at a hub next to the router > and the > firewall and since yesterday a second sensor on my proxy (squid). All > web-traffic must go through the proxy. > The first sensor gives information about e.g. that one uses google > desktop > but does not say which client (of course, as source is the proxy). > So I > installed snort as a second sensor on the proxy but without success. > The > alerts the first sensors finds are not found on the second sensor > (the squid > protocol might differ from HTTP). > > Is there a way to configure snort to reveal which exact client > "breaks" > policies? > > Thanks, Helmut > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by: Microsoft > Defy all challenges. Microsoft(R) Visual Studio 2008. > http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users > ------------------------------------------------------------------------- This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/ _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
