[Snort-sigs] HTTP Tunneling

Matthew Jonkman matt at ...2436...
Fri Jul 16 13:48:19 EDT 2004


I think I'm tracking what you're all proposing. Here's what the current 
rules look like then:

http://www.bleedingsnort.com/cgi-bin/viewcvs.cgi/Stable/POLICY_HTTP_Tunneling_via_Proxy?rev=1.3&content-type=text/vnd.viewcvs-markup

There's a lot of cross-discussion, want to help keep it straight here.

Matt

sekure wrote:

> I believe you need to have both !80 and !443 on one line like you had
> in your original post, otherwise you'll keep getting alerts.  The !80
> rule will trigger the 44 attempts and vice versa.
> 
> Can you post an example of the traffic that IS using CONNECT to a
> non-standard port but that Snort running with your first rule is NOT
> picking up?
> 
> There is no reason that the rule shouldn't work unless the specific
> traffic you are looking for hasn't happened yet.  Are you generating
> it somehow?
> 
> As the last case scenario you can set up an alert rule for all
> "CONNECT" attemps, and two pass rules for CONNECT with port 80 and
> 443.
> 
> On Fri, 16 Jul 2004 11:57:08 -0500, Barnes Brandon A1C AFWA/SCHS
> <brandon.barnes at ...2455...> wrote:
> 
>>Nevermind, it's not working either and I know why.
>>
>>Is there some way I can craft this to do what I need it to?
>>
>>Thanks ahead,
>>
>>
>>




More information about the Snort-sigs mailing list