[Snort-sigs] HTTP Tunneling

sekure sekure at ...2420...
Fri Jul 16 10:17:04 EDT 2004


I believe you need to have both !80 and !443 on one line like you had
in your original post, otherwise you'll keep getting alerts.  The !80
rule will trigger the 44 attempts and vice versa.

Can you post an example of the traffic that IS using CONNECT to a
non-standard port but that Snort running with your first rule is NOT
picking up?

There is no reason that the rule shouldn't work unless the specific
traffic you are looking for hasn't happened yet.  Are you generating
it somehow?

As the last case scenario you can set up an alert rule for all
"CONNECT" attemps, and two pass rules for CONNECT with port 80 and
443.

On Fri, 16 Jul 2004 11:57:08 -0500, Barnes Brandon A1C AFWA/SCHS
<brandon.barnes at ...2455...> wrote:
> Nevermind, it's not working either and I know why.
> 
> Is there some way I can craft this to do what I need it to?
> 
> Thanks ahead,
> 
> 
> 
> Brandon M. Barnes, A1C, USAF
> Intrusion Detection Specialist
> HQ AFWA NOSC
> Comm 402-294-1498 - DSN 271-1498
> 
> -----Original Message-----
> From: Barnes Brandon A1C AFWA/SCHS
> Sent: Friday, July 16, 2004 11 14
> To: 'Joshua Berry'; Barnes Brandon A1C AFWA/SCHS; Snort-Sigs (E-mail)
> Subject: RE: [Snort-sigs] HTTP Tunneling
> 
> In this instance, it actually is. I'm trying to detect the actual HTTP
> command being sent. The format is: CONNECT address:port HTTP/1.0
> 
> Here's an example:
> 
> 0x0000   4500 00ea ef9f 4000 7f06 2759 8307 e23d        E..... at ...253...'Y...=
> 0x0010   8307 fbc8 071f 22b5 ab19 1ddb 7a4f 3d43        ......".....zO=C
> 0x0020   5018 faf0 a8b1 0000 434f 4e4e 4543 5420        P.......CONNECT.
> 0x0030   7777 772e 626b 2e75 7361 612e 636f 6d3a        www.bk.usaa.com:
> 0x0040   3434 3320 4854 5450 2f31 2e30 0d0a 5573        443.HTTP/1.0..Us
> 0x0050   6572 2d41 6765 6e74 3a20 4d6f 7a69 6c6c        er-Agent:.Mozill
> 0x0060   612f 342e 3020 2863 6f6d 7061 7469 626c        a/4.0.(compatibl
> 0x0070   653b                                           e;
> 
> Hope this helps,
> 
> Brandon M. Barnes, A1C, USAF
> Intrusion Detection Specialist
> HQ AFWA NOSC
> Comm 402-294-1498 - DSN 271-1498
> 
> -----Original Message-----
> From: Joshua Berry [mailto:jberry at ...2562...]
> Sent: Friday, July 16, 2004 11 06
> To: Barnes Brandon A1C AFWA/SCHS; Snort-Sigs (E-mail)
> Subject: RE: [Snort-sigs] HTTP Tunneling
> 
> 443 and 80 are not in the content (payload of the packet).  You will
> have to setup a port range (alert tcp any !80:443 -> any !80:443), or
> just negate one port and live with the false positives on the other
> port.
> 
> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net
> [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Barnes
> Brandon A1C AFWA/SCHS
> Sent: Friday, July 16, 2004 9:20 AM
> To: Snort-Sigs (E-mail)
> Subject: [Snort-sigs] HTTP Tunneling
> 
> I tried devising a signature to detect people trying to use CONNECT on a
> vulnerable web server to tunnel elsewhere. The only problem is I got
> plenty
> of legit uses of CONNECT. The noise came from people going to port 443
> and
> 80, so I thought I'd filter those out, but it's still not removing
> those. Am
> I missing something from the syntax? Any help is welcomed.
> 
> alert tcp any any -> any any (sid: 1000027; rev: 1; msg:"HTTP CONNECT
> Tunnel"; content:"CONNECT "; nocase; content:!"443"; content:!"80";
> content:" HTTP/1.0"; nocase; classtype:misc-activity;)
> 
> Thanks,
> 
> Brandon M. Barnes, A1C, USAF
> Intrusion Detection Specialist
> HQ AFWA NOSC
> Comm 402-294-1498 - DSN 271-1498
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list