[Snort-sigs] HTTP Tunneling

Matthew Jonkman matt at ...2436...
Fri Jul 16 13:48:19 EDT 2004

I think I'm tracking what you're all proposing. Here's what the current 
rules look like then:


There's a lot of cross-discussion, want to help keep it straight here.


sekure wrote:

> I believe you need to have both !80 and !443 on one line like you had
> in your original post, otherwise you'll keep getting alerts.  The !80
> rule will trigger the 44 attempts and vice versa.
> Can you post an example of the traffic that IS using CONNECT to a
> non-standard port but that Snort running with your first rule is NOT
> picking up?
> There is no reason that the rule shouldn't work unless the specific
> traffic you are looking for hasn't happened yet.  Are you generating
> it somehow?
> As the last case scenario you can set up an alert rule for all
> "CONNECT" attemps, and two pass rules for CONNECT with port 80 and
> 443.
> On Fri, 16 Jul 2004 11:57:08 -0500, Barnes Brandon A1C AFWA/SCHS
> <brandon.barnes at ...2455...> wrote:
>>Nevermind, it's not working either and I know why.
>>Is there some way I can craft this to do what I need it to?
>>Thanks ahead,

More information about the Snort-sigs mailing list