SO/IDS behind proxy

[Heine Lysemose]

Hi

What is the best place to put the SO/IDS, in front or behind firewall/proxy?

If I'm placing SO behind the proxy I see the my clients IPs correctly but all destination IPs is my proxy's IP.
If I'm placing SO in front it get the reverse picture, seeing my destination IPs correctly but all client IPs is my proxy's IP.

I there any clever way around this?

/Lysemose

[Stephane Chazelas]

2012-05-30 01:56:55 -0700, Heine Lysemose:

[...]

You could use transparent proxying.

Otherwise, put it behing the proxy and you can still find the
source IP in the X-Forwarded-For header of the request (it needs
to be behind the proxy if you want to block the offending IP
addresses anyway).

If the proxy is squid and the OS is Linux, another solution is
to use the tproxy mode of squid, not in a transparent fashion,
have netfilter do the network translation and use ulog/nflog to
send the packets before that translation is done to SO. The
traffic SO sees is neither the traffic received or sent on any
of the proxy interfaces but the packets have the source and IP
addresses you are interested in. If you want to give this
approach a try, I can give you some more details (I've not done
it myself (I can't guarantee it will work) but the setup I have
here where it's truly transparent is very close).

--
Stephane

[Joel Esler]

Snort actually will log the X-Forwarded-For header in unified2 and GUIs can parse it out for display.

I don't know if Snorby supports that, but it would be a good thing to add I'd think.



http://blog.joelesler.net/2009/03/why-is-your-ids-outside-your-firewall_06.html


--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

[Heine Lysemose]

Thanks for the answers, guys!

It seems that there is a patch to Barnyard2 that will do this without changing anything in Snorby.

http://code.google.com/p/svmids/downloads/detail?name=barnyard2-1.9_xff-patch.patch

Doug, could it be a good idea to a this patch to SO's Barnyard2?

/Lysemose

[Doug Burks]

Hi Lysemose,

That patch appears to be for version 1.9 and we are using 1.10. I
don't know if the patch would apply cleanly.

Thanks,
Doug

--
Doug Burks | http://securityonion.blogspot.com
Don't miss SANS SEC503 Intrusion Detection In-Depth in
Augusta GA 6/11 - 6/16 | 10% discount for ISSA Members!
http://augusta.issa.org/drupal/SANS-Augusta-2012

[Joel Esler]

I didn't think Snorby used barnyard2?

--

Joel Esler

[Heine Lysemose]

Doug, I'll try to find out if the patch is valid for 1.10 too. Is Snort at the moment compiled with --enable_xff?

Correct me if I'm wrong on the following...

Joel, Snort -> Barnyard2 -> MySQL <- Snorby

/Lysemose

[Doug Burks]

Hi Lysemose,

According to http://code.google.com/p/security-onion/issues/detail?id=245,
the current Snort package was compiled like this:
./configure --enable-sourcefire

I know that --enable-sourcefire includes many options, but I don't
know if it includes --enable_xff.

You are correct on your ASCII art :)

Dustin has written his own unified2 library, but I believe most folks
running Snorby are still using barnyard2.

Thanks,
Doug

[Stephane Chazelas]

2012-06-01 06:12:56 -0400, Doug Burks:

> Hi Lysemose,
>
> According to http://code.google.com/p/security-onion/issues/detail?id=245,
> the current Snort package was compiled like this:
> ./configure --enable-sourcefire
>
> I know that --enable-sourcefire includes many options, but I don't
> know if it includes --enable_xff.

[...]

enable_xff is an option of some http_inspect preprocessor in
snort.conf (see README.http_inspect), it's builtin
unconditionally. There is no --enable_xff build time
configuration option (at least not in the 2.9.2.1 version I'm
looking at).

--
Stephane

[Heine Lysemose]

Yes I saw that post. Maybe Joel would comment on which options --enable-sourcefire includes.

At the top of the latest snort.conf, downloaded from www.snort.org, the following is stated...

#     Snort build options:

#     OPTIONS : --enable-ipv6 --enable-gre --enable-mpls --enable-targetbased --enable-decoder-preprocessor-rules --enable-ppm --enable-perfprofiling --enable-zlib --enable-active-response --enable-normalizer --enable-reload --enable-react --enable-flexresp3

I don't see either --enable-sourcefire or --enable_xff above, is this a bit outdated?

Yes I saw Dustins unified2 project too. The question is whether or not he has implemented X-Forwarded-For in his library... (but that would only solve the problem in Snorby not in Squil, Squert etc.)

/Lysemose

[Joel Esler]

--enable-sourcefire should be the only compile option you need to get all the recommended options we test against.

-- 
Joel Esler

[Max Rogers]

Did we ever find an easy solution for enabling XFF in SO?

Thanks,
Max

[Doug Burks]

Here's a thread on the barnyard2 mailing list talking about the patch
that Lysemose mentioned earlier in this thread (doesn't appear to
apply cleanly to modern versions):
https://groups.google.com/d/topic/barnyard2-users/_01RwlBP0T0/discussion

Looks like the upcoming Suricata 2.0 will allow you to replace the
proxy IP address with the XFF IP address:
https://redmine.openinfosecfoundation.org/issues/478

That being said, you may want to consider architectural changes so
that you won't have to rely on XFF.

Doug

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.
> For more options, visit https://groups.google.com/groups/opt_out.

[Pentolino]

Hi all,
did the XFF in security onion situtation changed?
It would be very useful to me and not so easy to make architectural changes


thanks

[Brad Hutchins]

Any chance that this has been kept fresh and any news on integrating with SO?

[Doug Burks]

Hi Brad,

Security Onion now includes Suricata 2.0.3, which *should* include the
XFF configuration:
https://redmine.openinfosecfoundation.org/issues/478

On Wed, Sep 17, 2014 at 6:25 PM, Brad Hutchins <bfc...@gmail.com> wrote:
> Any chance that this has been kept fresh and any news on integrating with SO?
>

> --
> You received this message because you are subscribed to the Google Groups "security-onion" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to security-onio...@googlegroups.com.
> To post to this group, send email to securit...@googlegroups.com.
> Visit this group at http://groups.google.com/group/security-onion.

> For more options, visit https://groups.google.com/d/optout.



--
Doug Burks
Need Security Onion Training or Commercial Support?
http://securityonionsolutions.com