[Snort-sigs] HTTP Tunneling

Barnes Brandon A1C AFWA/SCHS brandon.barnes at ...2455...
Fri Jul 16 09:13:10 EDT 2004

In this instance, it actually is. I'm trying to detect the actual HTTP
command being sent. The format is: CONNECT address:port HTTP/1.0

Here's an example:

0x0000	 4500 00ea ef9f 4000 7f06 2759 8307 e23d	E..... at ...253...'Y...=
0x0010	 8307 fbc8 071f 22b5 ab19 1ddb 7a4f 3d43	......".....zO=C
0x0020	 5018 faf0 a8b1 0000 434f 4e4e 4543 5420	P.......CONNECT.
0x0030	 7777 772e 626b 2e75 7361 612e 636f 6d3a	www.bk.usaa.com:
0x0040	 3434 3320 4854 5450 2f31 2e30 0d0a 5573	443.HTTP/1.0..Us
0x0050	 6572 2d41 6765 6e74 3a20 4d6f 7a69 6c6c	er-Agent:.Mozill
0x0060	 612f 342e 3020 2863 6f6d 7061 7469 626c	a/4.0.(compatibl
0x0070	 653b                                   	e;

Hope this helps,

Brandon M. Barnes, A1C, USAF
Intrusion Detection Specialist
Comm 402-294-1498 - DSN 271-1498

-----Original Message-----
From: Joshua Berry [mailto:jberry at ...2562...]
Sent: Friday, July 16, 2004 11 06 
To: Barnes Brandon A1C AFWA/SCHS; Snort-Sigs (E-mail)
Subject: RE: [Snort-sigs] HTTP Tunneling

443 and 80 are not in the content (payload of the packet).  You will
have to setup a port range (alert tcp any !80:443 -> any !80:443), or
just negate one port and live with the false positives on the other

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Barnes
Sent: Friday, July 16, 2004 9:20 AM
To: Snort-Sigs (E-mail)
Subject: [Snort-sigs] HTTP Tunneling

I tried devising a signature to detect people trying to use CONNECT on a
vulnerable web server to tunnel elsewhere. The only problem is I got
of legit uses of CONNECT. The noise came from people going to port 443
80, so I thought I'd filter those out, but it's still not removing
those. Am
I missing something from the syntax? Any help is welcomed.

alert tcp any any -> any any (sid: 1000027; rev: 1; msg:"HTTP CONNECT
Tunnel"; content:"CONNECT "; nocase; content:!"443"; content:!"80";
content:" HTTP/1.0"; nocase; classtype:misc-activity;)


Brandon M. Barnes, A1C, USAF
Intrusion Detection Specialist
Comm 402-294-1498 - DSN 271-1498

This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list