29 Jul
2016
29 Jul
'16
11:17 a.m.
Hi,
Recently we have seen an uptick in use of proxy servers to login to the
accounts from people living in China. And since the connection appears to
come from US based IP address (probably a proxy) they go un-flagged by the
IDS/IPS devices, as they see normal logins from United States IP addresses.
So my question is, is there a way to determine that the incoming connection
from an IP is actually a proxy server's IP, by looking at some unique
patterns in data collected by IDS/IPS devices? and if so can we do it using
Bro?
Thanks,
Fatema.
3 Aug
3 Aug
12:42 p.m.
Hi Fatema,
one idea would be to look if the used proxy servers set a header like,
X-Forwarded-For (https://en.wikipedia.org/wiki/X-Forwarded-For). If such a
header is present, you already might have an entry in the proxied column
of http.log.
I hope this helps,
Johanna
On Fri, Jul 29, 2016 at 02:17:37PM -0400, fatema bannatwala wrote:
Hi,
Recently we have seen an uptick in use of proxy servers to login to the
accounts from people living in China. And since the connection appears to
come from US based IP address (probably a proxy) they go un-flagged by the
IDS/IPS devices, as they see normal logins from United States IP addresses.
So my question is, is there a way to determine that the incoming connection
from an IP is actually a proxy server's IP, by looking at some unique
patterns in data collected by IDS/IPS devices? and if so can we do it using
Bro?
Thanks,
Fatema.
_______________________________________________
Bro mailing list
bro(a)bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
4 Aug
4 Aug
1:07 p.m.
Thanks Johanna,
Didn't realized that the "Proxied" field in http.log serves the purpose.
Thanks for the suggestion.
-Fatema
On Wed, Aug 3, 2016 at 3:42 PM, Johanna Amann <johanna(a)icir.org> wrote:
Hi Fatema,
one idea would be to look if the used proxy servers set a header like,
X-Forwarded-For (https://en.wikipedia.org/wiki/X-Forwarded-For). If such a
header is present, you already might have an entry in the proxied column
of http.log.
I hope this helps,
Johanna
On Fri, Jul 29, 2016 at 02:17:37PM -0400, fatema bannatwala wrote:
Hi,
Recently we have seen an uptick in use of proxy servers to login to the
accounts from people living in China. And since the connection appears to
come from US based IP address (probably a proxy) they go un-flagged by
the
IDS/IPS devices, as they see normal logins from
United States IP
addresses.
So my question is, is there a way to determine
that the incoming
connection
from an IP is actually a proxy server's IP,
by looking at some unique
patterns in data collected by IDS/IPS devices? and if so can we do it
using
Bro?
Thanks,
Fatema.
_______________________________________________
Bro mailing list
bro(a)bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
1950
days inactive
1956
days old
2 comments
2 participants
participants (2)
-
fatema bannatwala -
Johanna Amann