[Snort-sigs] HTTP Tunneling

Schmehl, Paul L pauls at ...1311...
Fri Jul 16 12:23:01 EDT 2004


Why would you even need to bother?  Since you're passing both port 80
and port 443 traffic, ISTM you'd only need one rule:

alert tcp any any -> any any (sid: 1000027; rev: 1; msg:"HTTP \ 
CONNECT Tunnel"; content:"CONNECT"; nocase; content:"HTTP/1."; \
nocase; classtype:misc-activity;)

(If you look for HTTP/1.0, you'll miss HTTP/1.1 traffic.)

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/  

> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net 
> [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of 
> Joshua Berry
> Sent: Friday, July 16, 2004 12:54 PM
> To: Barnes Brandon A1C AFWA/SCHS; Snort-Sigs (E-mail)
> Subject: RE: [Snort-sigs] HTTP Tunneling
> 
> You could do a negated pcre match:
> 
> pcre:!"/(443|80)/"
> 
> so it would be:
> alert tcp any any -> any any (sid: 1000027; rev: 1; msg:"HTTP 
> CONNECT Tunnel"; content:"CONNECT "; nocase; content:" 
> HTTP/1.0"; nocase; pcre:!"/(:443|:80)/"; classtype:misc-activity;)
> 
> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net
> [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of 
> Barnes Brandon A1C AFWA/SCHS
> Sent: Friday, July 16, 2004 11:57 AM
> To: 'Snort-Sigs (E-mail)'
> Subject: RE: [Snort-sigs] HTTP Tunneling
> 
> Nevermind, it's not working either and I know why.
> 
> Is there some way I can craft this to do what I need it to?
> 
> Thanks ahead,
> 
> Brandon M. Barnes, A1C, USAF
> Intrusion Detection Specialist
> HQ AFWA NOSC
> Comm 402-294-1498 - DSN 271-1498
> 
> 
> 
> -----Original Message-----
> From: Barnes Brandon A1C AFWA/SCHS
> Sent: Friday, July 16, 2004 11 14
> To: 'Joshua Berry'; Barnes Brandon A1C AFWA/SCHS; Snort-Sigs (E-mail)
> Subject: RE: [Snort-sigs] HTTP Tunneling
> 
> 
> In this instance, it actually is. I'm trying to detect the 
> actual HTTP command being sent. The format is: CONNECT 
> address:port HTTP/1.0
> 
> Here's an example:
> 
> 0x0000	 4500 00ea ef9f 4000 7f06 2759 8307 e23d	
> E..... at ...253...'Y...=
> 0x0010	 8307 fbc8 071f 22b5 ab19 1ddb 7a4f 3d43	
> ......".....zO=C
> 0x0020	 5018 faf0 a8b1 0000 434f 4e4e 4543 5420	
> P.......CONNECT.
> 0x0030	 7777 772e 626b 2e75 7361 612e 636f 6d3a	
> www.bk.usaa.com:
> 0x0040	 3434 3320 4854 5450 2f31 2e30 0d0a 5573	
> 443.HTTP/1.0..Us
> 0x0050	 6572 2d41 6765 6e74 3a20 4d6f 7a69 6c6c	
> er-Agent:.Mozill
> 0x0060	 612f 342e 3020 2863 6f6d 7061 7469 626c	
> a/4.0.(compatibl
> 0x0070	 653b                                   	e;
> 
> Hope this helps,
> 
> Brandon M. Barnes, A1C, USAF
> Intrusion Detection Specialist
> HQ AFWA NOSC
> Comm 402-294-1498 - DSN 271-1498
> 
> 
> 
> -----Original Message-----
> From: Joshua Berry [mailto:jberry at ...2562...]
> Sent: Friday, July 16, 2004 11 06
> To: Barnes Brandon A1C AFWA/SCHS; Snort-Sigs (E-mail)
> Subject: RE: [Snort-sigs] HTTP Tunneling
> 
> 
> 443 and 80 are not in the content (payload of the packet).  You will
> have to setup a port range (alert tcp any !80:443 -> any !80:443), or
> just negate one port and live with the false positives on the other
> port.
> 
> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net
> [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Barnes
> Brandon A1C AFWA/SCHS
> Sent: Friday, July 16, 2004 9:20 AM
> To: Snort-Sigs (E-mail)
> Subject: [Snort-sigs] HTTP Tunneling
> 
> I tried devising a signature to detect people trying to use 
> CONNECT on a
> vulnerable web server to tunnel elsewhere. The only problem is I got
> plenty
> of legit uses of CONNECT. The noise came from people going to port 443
> and
> 80, so I thought I'd filter those out, but it's still not removing
> those. Am
> I missing something from the syntax? Any help is welcomed.
> 
> alert tcp any any -> any any (sid: 1000027; rev: 1; msg:"HTTP CONNECT
> Tunnel"; content:"CONNECT "; nocase; content:!"443"; content:!"80";
> content:" HTTP/1.0"; nocase; classtype:misc-activity;)
> 
> Thanks,
> 
> Brandon M. Barnes, A1C, USAF
> Intrusion Detection Specialist
> HQ AFWA NOSC
> Comm 402-294-1498 - DSN 271-1498
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_idG21&alloc_id040&op=ick
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 




More information about the Snort-sigs mailing list