[Snort-sigs] HTTP Tunneling

Barnes Brandon A1C AFWA/SCHS brandon.barnes at ...2455...
Fri Jul 16 11:01:18 EDT 2004


Due to my being in a hurry I missed the point of what Gammon wrote. Here now
is a much better set that seems to be working (read not spitting out noise).
It looks as if it should catch the tunneling but I'll have to throw in the
lab to try out the attack to see if it triggers.

Here it is:

pass tcp any any -> any any (sid: 1000029; rev: 1; msg:"HTTP CONNECT
Tunnel"; content:"CONNECT "; nocase; content:"80"; content:" HTTP/1.0";
nocase; classtype:misc-activity;) 
pass tcp any any -> any any (sid: 1000030; rev: 1; msg:"HTTP CONNECT
Tunnel"; content:"CONNECT "; nocase; content:"443"; content:" HTTP/1.0";
nocase; classtype:misc-activity;) 
alert tcp any any -> any any (sid: 1000031; rev: 1; msg:"HTTP CONNECT
Tunnel"; content:"CONNECT "; nocase; content:!"80"; content:" HTTP/1.0";
nocase; classtype:misc-activity;)
alert tcp any any -> any any (sid: 1000032; rev: 1; msg:"HTTP CONNECT
Tunnel"; content:"CONNECT "; nocase; content:!"443"; content:" HTTP/1.0";
nocase; classtype:misc-activity;)

Brandon M. Barnes, A1C, USAF
Intrusion Detection Specialist
HQ AFWA NOSC
Comm 402-294-1498 - DSN 271-1498



-----Original Message-----
From: Barnes Brandon A1C AFWA/SCHS [mailto:brandon.barnes at ...2455...]
Sent: Friday, July 16, 2004 11 57 
To: 'Snort-Sigs (E-mail)'
Subject: RE: [Snort-sigs] HTTP Tunneling


Nevermind, it's not working either and I know why.

Is there some way I can craft this to do what I need it to?

Thanks ahead,

Brandon M. Barnes, A1C, USAF
Intrusion Detection Specialist
HQ AFWA NOSC
Comm 402-294-1498 - DSN 271-1498



-----Original Message-----
From: Barnes Brandon A1C AFWA/SCHS 
Sent: Friday, July 16, 2004 11 14 
To: 'Joshua Berry'; Barnes Brandon A1C AFWA/SCHS; Snort-Sigs (E-mail)
Subject: RE: [Snort-sigs] HTTP Tunneling


In this instance, it actually is. I'm trying to detect the actual HTTP
command being sent. The format is: CONNECT address:port HTTP/1.0

Here's an example:

0x0000	 4500 00ea ef9f 4000 7f06 2759 8307 e23d	E..... at ...253...'Y...=
0x0010	 8307 fbc8 071f 22b5 ab19 1ddb 7a4f 3d43	......".....zO=C
0x0020	 5018 faf0 a8b1 0000 434f 4e4e 4543 5420	P.......CONNECT.
0x0030	 7777 772e 626b 2e75 7361 612e 636f 6d3a	www.bk.usaa.com:
0x0040	 3434 3320 4854 5450 2f31 2e30 0d0a 5573	443.HTTP/1.0..Us
0x0050	 6572 2d41 6765 6e74 3a20 4d6f 7a69 6c6c	er-Agent:.Mozill
0x0060	 612f 342e 3020 2863 6f6d 7061 7469 626c	a/4.0.(compatibl
0x0070	 653b                                   	e;

Hope this helps,

Brandon M. Barnes, A1C, USAF
Intrusion Detection Specialist
HQ AFWA NOSC
Comm 402-294-1498 - DSN 271-1498



-----Original Message-----
From: Joshua Berry [mailto:jberry at ...2562...]
Sent: Friday, July 16, 2004 11 06 
To: Barnes Brandon A1C AFWA/SCHS; Snort-Sigs (E-mail)
Subject: RE: [Snort-sigs] HTTP Tunneling


443 and 80 are not in the content (payload of the packet).  You will
have to setup a port range (alert tcp any !80:443 -> any !80:443), or
just negate one port and live with the false positives on the other
port.

-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Barnes
Brandon A1C AFWA/SCHS
Sent: Friday, July 16, 2004 9:20 AM
To: Snort-Sigs (E-mail)
Subject: [Snort-sigs] HTTP Tunneling

I tried devising a signature to detect people trying to use CONNECT on a
vulnerable web server to tunnel elsewhere. The only problem is I got
plenty
of legit uses of CONNECT. The noise came from people going to port 443
and
80, so I thought I'd filter those out, but it's still not removing
those. Am
I missing something from the syntax? Any help is welcomed.

alert tcp any any -> any any (sid: 1000027; rev: 1; msg:"HTTP CONNECT
Tunnel"; content:"CONNECT "; nocase; content:!"443"; content:!"80";
content:" HTTP/1.0"; nocase; classtype:misc-activity;)

Thanks,

Brandon M. Barnes, A1C, USAF
Intrusion Detection Specialist
HQ AFWA NOSC
Comm 402-294-1498 - DSN 271-1498




-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs




More information about the Snort-sigs mailing list