[Snort-sigs] HTTP Tunneling

Barnes Brandon A1C AFWA/SCHS brandon.barnes at ...2455...
Fri Jul 16 13:06:04 EDT 2004


The 80 and 443 traffic is of little concern to me as it's a web proxy that
generates the noise. My main concern is if some one tries to use any web
servers in my network to connect to other services on other hosts
anonymously.

Changing HTTP/1.0 to HTTP/1. is probably a good idea. At the time I was
mostly just looking at what I had. I hadn't seen any references to using
HTTP/1.1 but I suppose it's good to include it.

Thanks,

Brandon M. Barnes, A1C, USAF
Intrusion Detection Specialist
HQ AFWA NOSC
Comm 402-294-1498 - DSN 271-1498



-----Original Message-----
From: Schmehl, Paul L [mailto:pauls at ...1311...]
Sent: Friday, July 16, 2004 14 22 
To: Joshua Berry; Barnes Brandon A1C AFWA/SCHS; Snort-Sigs (E-mail)
Subject: RE: [Snort-sigs] HTTP Tunneling


Why would you even need to bother?  Since you're passing both port 80
and port 443 traffic, ISTM you'd only need one rule:

alert tcp any any -> any any (sid: 1000027; rev: 1; msg:"HTTP \ 
CONNECT Tunnel"; content:"CONNECT"; nocase; content:"HTTP/1."; \
nocase; classtype:misc-activity;)

(If you look for HTTP/1.0, you'll miss HTTP/1.1 traffic.)

Paul Schmehl (pauls at ...1311...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/  

> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net 
> [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of 
> Joshua Berry
> Sent: Friday, July 16, 2004 12:54 PM
> To: Barnes Brandon A1C AFWA/SCHS; Snort-Sigs (E-mail)
> Subject: RE: [Snort-sigs] HTTP Tunneling
> 
> You could do a negated pcre match:
> 
> pcre:!"/(443|80)/"
> 
> so it would be:
> alert tcp any any -> any any (sid: 1000027; rev: 1; msg:"HTTP 
> CONNECT Tunnel"; content:"CONNECT "; nocase; content:" 
> HTTP/1.0"; nocase; pcre:!"/(:443|:80)/"; classtype:misc-activity;)
> 
> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net
> [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of 
> Barnes Brandon A1C AFWA/SCHS
> Sent: Friday, July 16, 2004 11:57 AM
> To: 'Snort-Sigs (E-mail)'
> Subject: RE: [Snort-sigs] HTTP Tunneling
> 
> Nevermind, it's not working either and I know why.
> 
> Is there some way I can craft this to do what I need it to?
> 
> Thanks ahead,
> 
> Brandon M. Barnes, A1C, USAF
> Intrusion Detection Specialist
> HQ AFWA NOSC
> Comm 402-294-1498 - DSN 271-1498
> 
> 
> 
> -----Original Message-----
> From: Barnes Brandon A1C AFWA/SCHS
> Sent: Friday, July 16, 2004 11 14
> To: 'Joshua Berry'; Barnes Brandon A1C AFWA/SCHS; Snort-Sigs (E-mail)
> Subject: RE: [Snort-sigs] HTTP Tunneling
> 
> 
> In this instance, it actually is. I'm trying to detect the 
> actual HTTP command being sent. The format is: CONNECT 
> address:port HTTP/1.0
> 
> Here's an example:
> 
> 0x0000	 4500 00ea ef9f 4000 7f06 2759 8307 e23d	
> E..... at ...253...'Y...=
> 0x0010	 8307 fbc8 071f 22b5 ab19 1ddb 7a4f 3d43	
> ......".....zO=C
> 0x0020	 5018 faf0 a8b1 0000 434f 4e4e 4543 5420	
> P.......CONNECT.
> 0x0030	 7777 772e 626b 2e75 7361 612e 636f 6d3a	
> www.bk.usaa.com:
> 0x0040	 3434 3320 4854 5450 2f31 2e30 0d0a 5573	
> 443.HTTP/1.0..Us
> 0x0050	 6572 2d41 6765 6e74 3a20 4d6f 7a69 6c6c	
> er-Agent:.Mozill
> 0x0060	 612f 342e 3020 2863 6f6d 7061 7469 626c	
> a/4.0.(compatibl
> 0x0070	 653b                                   	e;
> 
> Hope this helps,
> 
> Brandon M. Barnes, A1C, USAF
> Intrusion Detection Specialist
> HQ AFWA NOSC
> Comm 402-294-1498 - DSN 271-1498
> 
> 
> 
> -----Original Message-----
> From: Joshua Berry [mailto:jberry at ...2562...]
> Sent: Friday, July 16, 2004 11 06
> To: Barnes Brandon A1C AFWA/SCHS; Snort-Sigs (E-mail)
> Subject: RE: [Snort-sigs] HTTP Tunneling
> 
> 
> 443 and 80 are not in the content (payload of the packet).  You will
> have to setup a port range (alert tcp any !80:443 -> any !80:443), or
> just negate one port and live with the false positives on the other
> port.
> 
> -----Original Message-----
> From: snort-sigs-admin at lists.sourceforge.net
> [mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Barnes
> Brandon A1C AFWA/SCHS
> Sent: Friday, July 16, 2004 9:20 AM
> To: Snort-Sigs (E-mail)
> Subject: [Snort-sigs] HTTP Tunneling
> 
> I tried devising a signature to detect people trying to use 
> CONNECT on a
> vulnerable web server to tunnel elsewhere. The only problem is I got
> plenty
> of legit uses of CONNECT. The noise came from people going to port 443
> and
> 80, so I thought I'd filter those out, but it's still not removing
> those. Am
> I missing something from the syntax? Any help is welcomed.
> 
> alert tcp any any -> any any (sid: 1000027; rev: 1; msg:"HTTP CONNECT
> Tunnel"; content:"CONNECT "; nocase; content:!"443"; content:!"80";
> content:" HTTP/1.0"; nocase; classtype:misc-activity;)
> 
> Thanks,
> 
> Brandon M. Barnes, A1C, USAF
> Intrusion Detection Specialist
> HQ AFWA NOSC
> Comm 402-294-1498 - DSN 271-1498
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_idG21&alloc_id040&op=ick
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 




More information about the Snort-sigs mailing list