1️⃣ Some background knowledge:
(1) HTTP/1.0 protocol defines web server and When the client uses a proxy, in the
HTTP request and response headers, use Via: to identify the proxy server used to prevent the
server loop;
(2) snort is an open source IDS (intrusion detection system) that can be used Host or network IDS. With many IDS
rules, it can perform pattern recognition and matching on the captured (ip, tcp, udp, icmp) packets, and can generate corresponding records.
(3) libnet is open source software that can be used as a network protocol/packet generator.
(4) The TCP/IP network is a packet-switched network.
(5) Snort also has the function of generating IP packets using the libnet library. You can interrupt the TCP connection by issuing a TCP_RESET packet.
2️⃣Prerequisites:
(1) Snort runs on the route (linux) or through the port mirror function of the switch, runs on the same
network segment of the route
3️⃣ Implementation:
(1) compile snort with flexresp(flex response) feature
(2) Define snort rules:
alert tcp $HOME_NET any <> $EXTER_NET 80 (msg: "block proxy"; uricontent:"Via:"; resp: rst_all;)
4️⃣ Effect:
Internal network users can browse external websites normally. If the internal user’s browser is configured with an external proxy, the
HTTP REQUEST and RESPONSE headers will include Via: ... characters, and snort rules will capture this connection, and then
Send RST packets to client and server sockets. In this way, the TCP connection is terminated.
Enjoy! Follow us for more...
No comments:
Post a Comment