How to catch web proxy browsing using Snort/Squil
Posted on 2007-03-21
I am one of the network analyst with my company and I have been seeing an increase in web proxy use and I'm hoping to get some kind of help. Right now the only way I can find someone browsing the Internet via a proxy is by taking the IP address of a known proxy site and running a sancp query for it, to look for any traffic for the past few days. Sounds tedious I know, but we can't turn on the HTTP preprocessor in Snort because it causes way too many alerts, almost all false-positives. Snort hasn't updated that preprocessor in quite some time, so how it finds http_proxy is by looking for a URL within another URL, which is how ad banners and pop-ups work nowadays. We could write a rule to look for any instance of the word 'proxy' or 'anonymous', but again, we'd get way too many false-positives and not all web proxy sites have those words within the page. While researching how exactly proxies work, I found an article that stated that anonymous proxies do not send the HTTP_X_FORWARDING_FOR variable to the host. Not quite sure what I could do with that info (even our Snort engineer doesn't understand how to use that within a rule). I tried looking at multiple transcripts from a proxy hit and from normal http traffic, but I cannot for the life of me find anything that distinguishes one from the other. We also use Smart Filter which uses the database from securecomputing.com, but that thing goes down all the time, making it virtually useless.
Any help with this would be great, as I am hoping to catch the majority of proxy users rather than the measly 10% I get on good days. Thank you for any inputs you can provide.