2009/5/7 Jason Haar <[email protected]>: > On 04/30/2009 10:04 AM, Hellman, Matthew wrote: >> I believe that the original poster is trying to deal with the problem of not >> having the true source IP address for a given IDS alarm specifically because >> of a forwarding proxy or NAT device on his own network. >> > As I was the original chap back in 2004 who asked this question, I'd > like to have my 2c worth too :-) > > Indeed the issue was that our (snort) IDS was picking up > spyware-infected PCs phoning home through our proxies - and so the IDS > could only tell you the src IP was the proxy - no use at all in itself.
That is the same problem I have. > FYI our proxies lie inside our network - not on the edge (where the IDS > are). Same again > > Well now it's 2009 and we found a different way around it. We installed > snort onto all our proxies :-) Now snort can see the clients. > > As far as the X-Forwarded-For comments go - I think that track is a very > bad idea. Everyone running proxies should be taking the opportunity to Ok maybe I should help out with a flow diagram so you can understand where I am coming from user_pc -> transparent proxy (x-f-f stamped here) -> internet_gateway_proxy (headers stripped) -> internet The IDS is capturing on the internal leg of the internet_gateway_proxy hence all http/https IDS alerts have a source ip of the transparent proxy which means correlation is virtually impossible unless the IDS can extract the x-f-f and substitute this for the source ip in the alerts. -- jac
