[Snort-users] Snort on web servers behind reverse proxies

This is a discussion on [Snort-users] Snort on web servers behind reverse proxies within the Snort forums, part of the System Security and Security Related category; Hi First of all I did some research and couldn't find anything about this, so no flames please :-) Here ...


Go Back   Usenet Forums > System Security and Security Related > Snort

Reload this Page [Snort-users] Snort on web servers behind reverse proxies

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 05-01-2008
Tudor Panaitescu
 
Posts: n/a
Default [Snort-users] Snort on web servers behind reverse proxies


Hi

First of all I did some research and couldn't find anything about this, so
no flames please :-)

Here is the story. We have some reverse proxies/application
accelerators/etc. (let's call them reverse proxies for now) in front of our
web site. We don't control these reverse proxies and I am not sure if the
provider has any IDS capabilities on those. I have snort (2.8.0.2)
installed on the actual web servers but the only thing that I see in the
alerts is the IP addresses of the reverse proxies, which is normal. Now,
the reverse proxies, in their http requests to the web servers, they add 2
entries in the headers: X-Forwarded-For: <origin's IP address> and
True-Client-IP: <origin's IP address>. Is it a way to modify the rules to
alert using any of these IP addresses instead of the IP address(es) of the
reverse proxies ?

Any help/idea would be appreciated.

Thanks and all the best,
Tudor


Visit us at http://www.colorcon.com

NOTICE: This e-mail contains confidential and/or proprietary information, some or all of which may be legally privileged. It is intended only for the named recipient. If an addressing or transmission error has misdirected the e-mail,
please notify the author by replying to this message. If you are not the named recipient you must not use, disclose, distribute, copy, print, or rely on this e-mail, and should immediately delete it from your computer system.

Thank you. *

-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757...un.com/javaone
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 10:59 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0