Determining remote proxy servers using Bro.

fatema_bannatwala · July 29, 2016, 6:17pm

Hi,

Recently we have seen an uptick in use of proxy servers to login to the accounts from people living in China. And since the connection appears to come from US based IP address (probably a proxy) they go un-flagged by the IDS/IPS devices, as they see normal logins from United States IP addresses.
So my question is, is there a way to determine that the incoming connection from an IP is actually a proxy server’s IP, by looking at some unique patterns in data collected by IDS/IPS devices? and if so can we do it using Bro?

Thanks,
Fatema.

johanna · August 3, 2016, 7:42pm

Hi Fatema,

one idea would be to look if the used proxy servers set a header like,
X-Forwarded-For (https://en.wikipedia.org/wiki/X-Forwarded-For). If such a
header is present, you already might have an entry in the proxied column
of http.log.

I hope this helps,
Johanna

fatema_bannatwala · August 4, 2016, 8:07pm

Thanks Johanna,

Didn’t realized that the “Proxied” field in http.log serves the purpose. Thanks for the suggestion.

-Fatema

Topic		Replies	Views
Sensor placement with presence of web proxies Zeek	3	49	May 6, 2022
source ip and destination ip have been swaped in bro logs Zeek	3	74	May 6, 2022
monitoring proxied web traffic Zeek	5	131	May 6, 2022
monitoring proxied web traffic Zeek	3	72	May 6, 2022
Problem identifying originator in Kerberos connections Zeek	2	57	May 6, 2022

Determining remote proxy servers using Bro.

Related Topics