Snort on proxy (outbound alerts)

[Thibaud Raso <joga3.web () gmail com>]

Hi everybody,

I'm having a problem with my running instance of Snort which is setup on my
proxy server(squid), and uses the ET ruleset.
I've been looking for a solution for a while, but I still have no answer.
My problem is, that for some rules, it alerts me on outbound traffic
instead of inbound traffic, let me explain:

Here is a rule which only gives me alerts on outgoing traffic:

> alert tcp $HOME_NET any -> [50.31.138.120,50.63.202.69, 60.13.186.5,
> 60.199.114.84
> ,61.244.48.34,62.109.0.5,62.109.23.147,62.109.23.228,62.149.140.16,62.76.177.117,
> 63.143.42.126,64.124.180.220,64.127.71.73,64.29.151.221,64.37.52.22] any
> (msg:"ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC Server TCP (group
> 15)"; flags:S; reference:url,doc.emergingthreats.net/bin/view/Main/BotCC;
> reference:url,zeustracker.abuse.ch; reference:url,palevotracker.abuse.ch
> ;reference:url,spyeyetracker.abuse.ch; threshold: type limit, track
> by_src, seconds 3600, count 1; classtype:trojan-activity;
> flowbits:set,ET.Evil; flowbits:set,ET.BotccIP; sid:2404128; rev:2915;)

And here is the type of alerts snort generates with this rule:

> [**] [1:2404128:2915] ET CNC Zeus/Spyeye/Palevo Tracker Reported CnC
> Server TCP (group 15) [**][Classification: A Network Trojan was Detected]
> [Priority: 1] 192.168.0.253:5688 <http://192.168.0.253:56884> ->
> 64.29.151.221:80

(192.168.0.253 is my proxy IP and 64.29.151.221 is a 'blacklisted' IP by
the rule.)

The problem of this rule is that it matches traffic destinated to those
blacklisted IPs.
However, it is only interesting to me if I get alerts on my clients'
requests not proxy's. If alerts come from my proxy IP, I can't target which
computer is causing trouble (in my LAN).

By the way, XFF is not enabled on my proxy, so there is no
'X-Forwarded-For' field in the HTTP requests (security policy), and the
snort 'xff_enable' option in the http_inspect preprocessor will not help us
to guess my client's IP.

So my question is: "Is there a way to get this kind of alerts on incoming
traffic(when my clients make these requests to my proxy)?" and if yes, how
do I do that?
If something is not clear or if you need some more clues, you are welcome
to ask.

Snortely yours.

------------------------------------------------------------------------------
Master HTML5, CSS3, ASP.NET, MVC, AJAX, Knockout.js, Web API and
much more. Get web development skills now with LearnDevNow -
350+ hours of step-by-step video tutorials by Microsoft MVPs and experts.
SALE $99.99 this month only -- learn more at:
http://p.sf.net/sfu/learnmore_122812

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!