Determining remote proxy servers using Bro.


Recently we have seen an uptick in use of proxy servers to login to the accounts from people living in China. And since the connection appears to come from US based IP address (probably a proxy) they go un-flagged by the IDS/IPS devices, as they see normal logins from United States IP addresses.
So my question is, is there a way to determine that the incoming connection from an IP is actually a proxy server’s IP, by looking at some unique patterns in data collected by IDS/IPS devices? and if so can we do it using Bro?


Hi Fatema,

one idea would be to look if the used proxy servers set a header like,
X-Forwarded-For ( If such a
header is present, you already might have an entry in the proxied column
of http.log.

I hope this helps,

Thanks Johanna,

Didn’t realized that the “Proxied” field in http.log serves the purpose. Thanks for the suggestion.