[Snort-sigs] HTTP Tunneling

Matthew Jonkman matt at ...2436...
Fri Jul 16 09:33:05 EDT 2004


Do you happen to have a packet dump of a tunnelling session?

Good idea for a rule.

Matt

Barnes Brandon A1C AFWA/SCHS wrote:

> I tried devising a signature to detect people trying to use CONNECT on a
> vulnerable web server to tunnel elsewhere. The only problem is I got plenty
> of legit uses of CONNECT. The noise came from people going to port 443 and
> 80, so I thought I'd filter those out, but it's still not removing those. Am
> I missing something from the syntax? Any help is welcomed.
> 
> alert tcp any any -> any any (sid: 1000027; rev: 1; msg:"HTTP CONNECT
> Tunnel"; content:"CONNECT "; nocase; content:!"443"; content:!"80";
> content:" HTTP/1.0"; nocase; classtype:misc-activity;)
> 
> Thanks,
> 
> Brandon M. Barnes, A1C, USAF
> Intrusion Detection Specialist
> HQ AFWA NOSC
> Comm 402-294-1498 - DSN 271-1498
> 
> 




More information about the Snort-sigs mailing list