Re: x-forwarded-for an IDS capability
- From: Jason Haar <Jason.Haar@xxxxxxxxxxxxx>
- Date: Thu, 07 May 2009 20:04:46 +1200
On 04/30/2009 10:04 AM, Hellman, Matthew wrote:
I believe that the original poster is trying to deal with the problem of not having the true source IP address for a given IDS alarm specifically because of a forwarding proxy or NAT device on his own network.As I was the original chap back in 2004 who asked this question, I'd
like to have my 2c worth too :-)
Indeed the issue was that our (snort) IDS was picking up
spyware-infected PCs phoning home through our proxies - and so the IDS
could only tell you the src IP was the proxy - no use at all in itself.
FYI our proxies lie inside our network - not on the edge (where the IDS
are).
Well now it's 2009 and we found a different way around it. We installed
snort onto all our proxies :-) Now snort can see the clients.
As far as the X-Forwarded-For comments go - I think that track is a very
bad idea. Everyone running proxies should be taking the opportunity to
ensure that header (and its cousin "Via") is stripped out before such
HTTP requests leave the site - there's no point in giving away internal
IP address information to random web sites. So - on our network at least
- using X-Forwarded-For wouldn't be an option anyway.
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
- Follow-Ups:
- Re: x-forwarded-for an IDS capability
- From: James
- Re: x-forwarded-for an IDS capability
- Next by Date: Re: x-forwarded-for an IDS capability
- Next by thread: Re: x-forwarded-for an IDS capability
- Index(es):
Relevant Pages
|
