[Snort-sigs] HTTP Tunneling

Joshua Berry jberry at ...2562...
Fri Jul 16 09:07:01 EDT 2004


443 and 80 are not in the content (payload of the packet).  You will
have to setup a port range (alert tcp any !80:443 -> any !80:443), or
just negate one port and live with the false positives on the other
port.

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Barnes
Brandon A1C AFWA/SCHS
Sent: Friday, July 16, 2004 9:20 AM
To: Snort-Sigs (E-mail)
Subject: [Snort-sigs] HTTP Tunneling

I tried devising a signature to detect people trying to use CONNECT on a
vulnerable web server to tunnel elsewhere. The only problem is I got
plenty
of legit uses of CONNECT. The noise came from people going to port 443
and
80, so I thought I'd filter those out, but it's still not removing
those. Am
I missing something from the syntax? Any help is welcomed.

alert tcp any any -> any any (sid: 1000027; rev: 1; msg:"HTTP CONNECT
Tunnel"; content:"CONNECT "; nocase; content:!"443"; content:!"80";
content:" HTTP/1.0"; nocase; classtype:misc-activity;)

Thanks,

Brandon M. Barnes, A1C, USAF
Intrusion Detection Specialist
HQ AFWA NOSC
Comm 402-294-1498 - DSN 271-1498




-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list