one thing I do with some of the snort stuff is to pull the packet contents and look for a
Several of my automated scripts do this so this enables me to trace connections back
through squid proxies with out problems.
If the proxies add such headers than you may be able to get a bro script to automatically
pull the real IP and report that.
On 27/01/2012, at 10:54 AM, Martin Holste wrote:
Our org is looking at using web proxies without
changing settings on
the client. This can involve using Cisco's WCCP or policy-based
routing to marshal traffic that would normally go to the Internet to a
proxy. As I understand it, the proxy makes the request, returns the
response to the router, and the router returns the response to the
client. My question is if anyone has run into problems with a tap or
span on the side of the router closest to the client. That is, does
the proxy change the traffic enough to interfere? It seems
nonsensical to put the sensor at the edge of the network since the
requests will have the source IP of the proxy, not the actual client,
but that means that the traffic the IDS inspects will be inauthentic
versus what the remote host on the Internet actually sent.
Theoretically, it should be the same traffic, but I'm wondering if
anyone can confirm that. I'm especially concerned with appliances
that reorder or normalize HTTP headers, etc.
Bro mailing list