Re: x-forwarded-for an IDS capability

2009/5/7 Jason Haar <Jason.Haar@xxxxxxxxxxxxx>:
On 04/30/2009 10:04 AM, Hellman, Matthew wrote:
I believe that the original poster is trying to deal with the problem of not having the true source IP address for a given IDS alarm specifically because of a forwarding proxy or NAT device on his own network.

As I was the original chap back in 2004 who asked this question, I'd
like to have my 2c worth too :-)

Indeed the issue was that our (snort) IDS was picking up
spyware-infected PCs phoning home through our proxies - and so the IDS
could only tell you the src IP was the proxy - no use at all in itself.

That is the same problem I have.

FYI our proxies lie inside our network - not on the edge (where the IDS
are).

Same again


Well now it's 2009 and we found a different way around it. We installed
snort onto all our proxies :-) Now snort can see the clients.

As far as the X-Forwarded-For comments go - I think that track is a very
bad idea. Everyone running proxies should be taking the opportunity to

Ok maybe I should help out with a flow diagram so you can understand
where I am coming from


user_pc
-> transparent proxy (x-f-f stamped here)
-> internet_gateway_proxy (headers stripped)
-> internet

The IDS is capturing on the internal leg of the internet_gateway_proxy
hence all http/https IDS alerts have a source ip of the transparent
proxy which means correlation is virtually impossible unless the IDS
can extract the x-f-f and substitute this for the source ip in the
alerts.


--
jac

Relevant Pages

  • Re: Value of "richer" signatures?
    ... Snort, Dragon, and NFR, and I can tell you that they ... Here's an example of how the newer IDS signatures help ... Let's say you are using a simple packet grepping IDS ... > an FTP connection). ...
    (Focus-IDS)
  • Re: ids inquisition
    ... Subject: ids inquisition ... Snort isn't one of them. ... Brian Caswell - CSV output plugin, ... Christian Lademann - active response, ...
    (Focus-IDS)
  • RE: IDS recommendations
    ... Subject: IDS recommendations ... Snort is a relatively raw tool and that usually adds ... >> I can appreciate your comments on the ISS product. ...
    (Focus-IDS)
  • RE: "Free" IDS
    ... I am very surprised noone mentioned Demarc PureSecure IDS solution. ... It cost less than 2000.00 and it runs off of the snort engine and has a big ... if you want to learn snort then just read up on it. ...
    (Focus-IDS)
  • RE: Test tools for IDS
    ... "Sneeze" is great for Snort IDS. ... Captus Networks IPS 4000 ... Intrusion Prevention and Traffic Shaping Technology to: ...
    (Focus-IDS)