[Snort-sigs] rules and protocol URL

Jason Haar Jason.Haar at ...651...
Mon Nov 10 12:58:10 EST 2003

On Tue, 2003-11-11 at 04:48, Matt Kettler wrote:
> At 08:52 AM 11/10/2003, Nosnos wrote:
> >I want to know how to write a rule that only match traffic that correspond 
> >to HTTP protocol ... ? I know that often rules try to match the port 80, 
> >but I want a rules that detect http protocol and are not based on port 
> >number ....
> >
> >(I want the same things for pop or stmp protocol) ...
> Sorry, but snort's not capable of listening to every arbitrary port and 
> determining what protocol is on it without being told in advance.. Offhand, 
> I don't know of any products that do this as an IDS system.

Perfect example of why application proxies work so well. Whoops - "as
enforcers of policy" of course ;-) Products such as the Packeteer packet
shaper can do this (a bit) - they really should look at incorporating
IDS functionality into their product line (hey - if they haven't already
thought of this - does that mean it's my idea? ;-) Copyright Jason Haar
2003 ;-)

Block all Internet access, force everyone through a proxy (e.g. Squid),
then configure it to only allow HTTP access on particular ports. Stops a
lot of sneaky traffic - but - I admit - doesn't stop all. Most vendors
are now rewriting their network apps to make all their traffic look like
HTTP to get around firewalls and even application proxies - sigh. MS
Messenger is a prime example of this.

(At least the logs are good! :-)


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-sigs mailing list