[Snort-sigs] HTTP Tunneling

Chris Kronberg smil at ...1754...
Sat Jul 17 02:34:01 EDT 2004

On Fri, 16 Jul 2004, Schmehl, Paul L wrote:

> Why would you even need to bother?  Since you're passing both port 80
> and port 443 traffic, ISTM you'd only need one rule:
> alert tcp any any -> any any (sid: 1000027; rev: 1; msg:"HTTP \
> CONNECT Tunnel"; content:"CONNECT"; nocase; content:"HTTP/1."; \
> nocase; classtype:misc-activity;)

  But wouldn't that be an invitation for many false positives?
  It might be a good idea to put a limit to the payload to be
  seached. The CONNECT and the HTTP/1. statement should be not
  that far away from each other, shouldn't they?
  I had a good amount of noise with rules like that (especially
  mail and news traffic were triggering false positives).

  Just my 2 cts,


More information about the Snort-sigs mailing list