[Snort-sigs] HTTP Tunneling

Barnes Brandon A1C AFWA/SCHS brandon.barnes at ...2455...
Fri Jul 16 07:22:46 EDT 2004


I tried devising a signature to detect people trying to use CONNECT on a
vulnerable web server to tunnel elsewhere. The only problem is I got plenty
of legit uses of CONNECT. The noise came from people going to port 443 and
80, so I thought I'd filter those out, but it's still not removing those. Am
I missing something from the syntax? Any help is welcomed.

alert tcp any any -> any any (sid: 1000027; rev: 1; msg:"HTTP CONNECT
Tunnel"; content:"CONNECT "; nocase; content:!"443"; content:!"80";
content:" HTTP/1.0"; nocase; classtype:misc-activity;)

Thanks,

Brandon M. Barnes, A1C, USAF
Intrusion Detection Specialist
HQ AFWA NOSC
Comm 402-294-1498 - DSN 271-1498






More information about the Snort-sigs mailing list