Snort mailing list archives

Re: [Emerging-Sigs] Snort Alerts Differences with and without WebProxy

From: Joel Esler <jesler () sourcefire com>
Date: Sun, 20 May 2012 11:26:07 -0400

Probably a better question for the Snort-users mailing list. But yes, the ips may show up differently (for instance the 
source ip may be that of the proxy). 

Maybe some checksum errors in there?

Do a tcpdump on the interface with the -vv options and see if "incorrect" shows up in the dump. 

-- 
Joel Esler

On May 20, 2012, at 4:31 AM, Balasubramaniam Natarajan <bala150985 () gmail com> wrote:

Hi

Should there be any difference with Snort alerts if the internal client are using a webproxy as oppose to those which 
are not ?   I am asking this because I see remarkable difference between the two.


Initial Configuration without Squid WebProxy

Internal Clients (Default Gateway eth1 on snort) ---> (eth1) Snort (eth0) ----> Internet

Snort was running on eth1 and it logged lots of alerts


Present Configuration with Squid WebProxy

Internal Client (webproxy to snort:3128 on eth1)   ------> (eth1) Snort (eth0) ------> Internet

Now Snort is running on eth0 interface and the number of alerts which are logged are way too less.  I guess some 
alerts are somehow missed.

-- 
Regards,
Balasubramaniam Natarajan
www.etutorshop.com/moodle/

_______________________________________________
Emerging-sigs mailing list
Emerging-sigs () lists emergingthreats net
http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: [Emerging-Sigs] Snort Alerts Differences with and without WebProxy Joel Esler (May 20)
- Re: [Emerging-Sigs] Snort Alerts Differences with and without WebProxy Balasubramaniam Natarajan (May 20)
  - Re: [Emerging-Sigs] Snort Alerts Differences with and without WebProxy Balasubramaniam Natarajan (May 20)
    - Re: [Emerging-Sigs] Snort Alerts Differences with and without WebProxy Balasubramaniam Natarajan (May 21)
    - Re: [Emerging-Sigs] Snort Alerts Differences with and without WebProxy Russ Combs (May 21)
    - Re: [Emerging-Sigs] Snort Alerts Differences with and without WebProxy Balasubramaniam Natarajan (May 29)