Focus on IDS
x-forwarded-for an IDS capability Apr 29 2009 04:27AM
James (jimbob coffey gmail com) (3 replies)
Re: x-forwarded-for an IDS capability Apr 29 2009 05:56PM
Seth Hall (hall 692 osu edu)
Re: x-forwarded-for an IDS capability Apr 29 2009 04:00PM
Arian J. Evans (arian evans anachronic com)
RE: x-forwarded-for an IDS capability Apr 29 2009 02:55PM
Hellman, Matthew (Hellman Matthew principal com)
That's a nice idea, I personally haven't seen or heard of it being implemented. If you can get a trace with the alert you might see it there. Also, a SIM should be able to do this for you (by means of including the firewall/router/proxy logs and correlating them).

>>-----Original Message-----
>>From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
>>On Behalf Of James
>>Sent: Tuesday, April 28, 2009 11:28 PM
>>To: focus-ids (at) securityfocus (dot) com [email concealed]
>>Subject: x-forwarded-for an IDS capability
>>Hi List,
>>Does anyone know of an IDS vendor/or opensource product that has the
>>capability of associating
>>an ip address in an x-forwarded-for http header with an IDS event ?
>>This includes events that fire on a download as well so there would
>>need to be some
>>kind of internal http state management.
>>I notice this request from Jason Haars back in 2004 to the snort
>>mailing list but I can't seem to find anything else on this in google

-----Message Disclaimer-----

This e-mail message is intended only for the use of the individual or
entity to which it is addressed, and may contain information that is
privileged, confidential and exempt from disclosure under applicable law.
If you are not the intended recipient, any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify us immediately by
reply email to Connect (at) principal (dot) com [email concealed] and delete or destroy all copies of
the original message and attachments thereto. Email sent to or from the
Principal Financial Group or any of its member companies may be retained
as required by law or regulation.

Nothing in this message is intended to constitute an Electronic signature
for purposes of the Uniform Electronic Transactions Act (UETA) or the
Electronic Signatures in Global and National Commerce Act ("E-Sign")
unless a specific statement to the contrary is included in this message.

While this communication may be used to promote or market a transaction
or an idea that is discussed in the publication, it is intended to provide
general information about the subject matter covered and is provided with
the understanding that The Principal is not rendering legal, accounting,
or tax advice. It is not a marketed opinion and may not be used to avoid
penalties under the Internal Revenue Code. You should consult with
appropriate counsel or other advisors on all matters pertaining to legal,
tax, or accounting obligations and requirements.

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus