Solved

How to catch web proxy browsing using Snort/Squil

Posted on 2007-03-21
10
2,375 Views
Last Modified: 2013-11-29
I am one of the network analyst with my company and I have been seeing an increase in web proxy use and I'm hoping to get some kind of help. Right now the only way I can find someone browsing the Internet via a proxy is by taking the IP address of a known proxy site and running a sancp query for it, to look for any traffic for the past few days. Sounds tedious I know, but we can't turn on the HTTP preprocessor in Snort because it causes way too many alerts, almost all false-positives. Snort hasn't updated that preprocessor in quite some time, so how it finds http_proxy is by looking for a URL within another URL, which is how ad banners and pop-ups work nowadays. We could write a rule to look for any instance of the word 'proxy' or 'anonymous', but again, we'd get way too many false-positives and not all web proxy sites have those words within the page. While researching how exactly proxies work, I found an article that stated that anonymous proxies do not send the HTTP_X_FORWARDING_FOR variable to the host. Not quite sure what I could do with that info (even our Snort engineer doesn't understand how to use that within a rule). I tried looking at multiple transcripts from a proxy hit and from normal http traffic, but I cannot for the life of me find anything that distinguishes one from the other. We also use Smart Filter which uses the database from securecomputing.com, but that thing goes down all the time, making it virtually useless.

Any help with this would be great, as I am hoping to catch the majority of proxy users rather than the measly 10% I get on good days. Thank you for any inputs you can provide.
0
Comment
Question by:jameswright1337
10 Comments
 
LVL 2

Expert Comment

by:tellkeeper
ID: 18781339
Complex. :) . Write a rule rejecting access to all requests lacking HTTP_x_forwarding_for.
0
 

Author Comment

by:jameswright1337
ID: 18785454
Due to upper-management problems that occurred before I got hired on, we are not allowed to block via Snort using the reject/deny rules. Maybe I can convince them though with all of the hits we are getting with proxy use. Any idea as to how the rule would be written? I've only had to write rules that looked for 'content:' in the package, with a few having 'depth:' and 'distance:'.
0
 
LVL 2

Accepted Solution

by:
mail2divyesh earned 250 total points
ID: 18834273
You can try Maxmind's IP location  service. This service is useful for validating user registration information or checking whether an Internet communication is coming from a reliable source
http://www.maxmind.com/app/locv_info

The FREE version is Approximately 97% accurate. From there you can use the DB to block the IP ranges that are identified as anonymous proxies.

0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 

Author Comment

by:jameswright1337
ID: 18926042
Sorry mail2divyesh, that's not exactly what I'm looking for.


Are there no Snort experts here at all? Guess I can't be too surprised, I couldn't get this answered on the Snort.org forums.
0
 
LVL 20

Expert Comment

by:What90
ID: 18929467
James,

Have you got a link to that article on HTTP_X_FORWARDING_FOR variable?

I could have a tinker with some rule sets to see if I can find a way to fit it in.

Otherwise, off the top of my head, dumping a list of those known proxies in to a snort log rule set and doing anomaly detection against user's web site choices (slow, boring and painful) 100+ hits against site x is the only way I can thing of with snort.



0
 

Author Comment

by:jameswright1337
ID: 18932029
What90,

Can't for the life of me find the article, but it did say that if a connection is using a proxy, the fowarding_for will have a variable. It looks to be an old theory because I looked at probably 100+ transcripts through Ethereal and couldn't find a definitive commonality in proxy transcripts or any major differences between proxy and normal traffic. I think for right now I'm going to have to just keep vigil in scouring the Internet for new proxy sites and get them either blocked or categorized correctly in SmartFilter. Thanks for all the input.
0
 
LVL 20

Assisted Solution

by:What90
What90 earned 250 total points
ID: 18943972
I went through a similar process looking for proxies, but ti took up to much time and energy.
We moved to using Websense and re-writing a policy to explicitly ban the use of proxies.  After the first couple of bright sparks got nailed by HR, the problem declined rapidly.

I'm sure we still have a couple of folk doing it and when we find them, the logs will nailed them to the wall :-)
0
 

Author Comment

by:jameswright1337
ID: 18945302
That's what I've been doing as well. Any time I find a new proxy site, I make sure to have it categorized correctly at Secure Computing. If it is a SSL site, that's when I submit the block request to the firewall team. So far I've been able to limit the use of web proxies almost completely. I was just hoping that there might be a way to reject the packets altogether. Thanks to everyone who commented.
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Each year, investment in cloud platforms grows more than 20% (https://www.immun.io/hubfs/Immunio_2016/Content/Marketing/Cloud-Security-Report-2016.pdf?submissionGuid=a8d80a00-6fee-4b85-81db-a4e28f681762) as an increasing number of companies begin to…
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question