[Snort-sigs] HTTP Tunneling
smil at ...1754...
Sat Jul 17 02:34:01 EDT 2004
On Fri, 16 Jul 2004, Schmehl, Paul L wrote:
> Why would you even need to bother? Since you're passing both port 80
> and port 443 traffic, ISTM you'd only need one rule:
> alert tcp any any -> any any (sid: 1000027; rev: 1; msg:"HTTP \
> CONNECT Tunnel"; content:"CONNECT"; nocase; content:"HTTP/1."; \
> nocase; classtype:misc-activity;)
But wouldn't that be an invitation for many false positives?
It might be a good idea to put a limit to the payload to be
seached. The CONNECT and the HTTP/1. statement should be not
that far away from each other, shouldn't they?
I had a good amount of noise with rules like that (especially
mail and news traffic were triggering false positives).
Just my 2 cts,
More information about the Snort-sigs