Focus on IDS
RE: x-forwarded-for an IDS capability Apr 29 2009 10:04PM
Hellman, Matthew (Hellman Matthew principal com) (2 replies)
Re: x-forwarded-for an IDS capability May 07 2009 08:04AM
Jason Haar (Jason Haar trimble co nz) (1 replies)
Re: x-forwarded-for an IDS capability May 08 2009 12:16AM
James (jimbob coffey gmail com) (1 replies)
2009/5/7 Jason Haar <Jason.Haar (at) trimble.co (dot) nz [email concealed]>:
> On 04/30/2009 10:04 AM, Hellman, Matthew wrote:
>> I believe that the original poster is trying to deal with the problem of not having the true source IP address for a given IDS alarm specifically because of a forwarding proxy or NAT device on his own network.
>>
> As I was the original chap back in 2004 who asked this question, I'd
> like to have my 2c worth too :-)
>
> Indeed the issue was that our (snort) IDS was picking up
> spyware-infected PCs phoning home through our proxies - and so the IDS
> could only tell you the src IP was the proxy - no use at all in itself.

That is the same problem I have.

> FYI our proxies lie inside our network - not on the edge (where the IDS
> are).

Same again

>
> Well now it's 2009 and we found a different way around it. We installed
> snort onto all our proxies :-) Now snort can see the clients.
>
> As far as the X-Forwarded-For comments go - I think that track is a very
> bad idea. Everyone running proxies should be taking the opportunity to

Ok maybe I should help out with a flow diagram so you can understand
where I am coming from

user_pc
-> transparent proxy (x-f-f stamped here)
-> internet_gateway_proxy (headers stripped)
-> internet

The IDS is capturing on the internal leg of the internet_gateway_proxy
hence all http/https IDS alerts have a source ip of the transparent
proxy which means correlation is virtually impossible unless the IDS
can extract the x-f-f and substitute this for the source ip in the
alerts.

--
jac

[ reply ]
Re: x-forwarded-for an IDS capability May 10 2009 05:40AM
bartlettNSF (bartlettNSF comcast net)
Re: x-forwarded-for an IDS capability Apr 29 2009 11:06PM
Arian J. Evans (arian evans anachronic com)


 

Privacy Statement
Copyright 2010, SecurityFocus