Re: [Snort-users] Snort on web servers behind reverse proxies
This is a discussion on Re: [Snort-users] Snort on web servers behind reverse proxies within the Snort forums, part of the System Security and Security Related category; you will have to post process it. check out snortunified.pm for a framework tat makes it easy. Tudor Panaitescu ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
1 Week Ago
|
|||
|
|||
Re: [Snort-users] Snort on web servers behind reverse proxies
you will have to post process it. check out snortunified.pm for a
framework tat makes it easy. Tudor Panaitescu wrote: > > Hi > > First of all I did some research and couldn't find anything about this, so > no flames please :-) > > Here is the story. We have some reverse proxies/application > accelerators/etc. (let's call them reverse proxies for now) in front of our > web site. We don't control these reverse proxies and I am not sure if the > provider has any IDS capabilities on those. I have snort (2.8.0.2) > installed on the actual web servers but the only thing that I see in the > alerts is the IP addresses of the reverse proxies, which is normal. Now, > the reverse proxies, in their http requests to the web servers, they add 2 > entries in the headers: X-Forwarded-For: <origin's IP address> and > True-Client-IP: <origin's IP address>. Is it a way to modify the rules to > alert using any of these IP addresses instead of the IP address(es) of the > reverse proxies ? > > Any help/idea would be appreciated. > > Thanks and all the best, > Tudor > > > Visit us at http://www.colorcon.com > > NOTICE: This e-mail contains confidential and/or proprietary information, some or all of which may be legally privileged. It is intended only for the named recipient. If an addressing or transmission error has misdirected the e-mail, > please notify the author by replying to this message. If you are not the named recipient you must not use, disclose, distribute, copy, print, or rely on this e-mail, and should immediately delete it from your computer system. > > Thank you. * > > ------------------------------------------------------------------------- > This SF.net email is sponsored by the 2008 JavaOne(SM) Conference > Don't miss this year's exciting event. There's still time to save $100. > Use priority code J8TL2D2. > http://ad.doubleclick.net/clk;198757...un.com/javaone > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/...fo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.p...st=snort-users > ------------------------------------------------------------------------- This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757...un.com/javaone _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 05:39 PM.
