[Snort-users] Detecting tunnels?
mark-dated-1023035667.a64897 at ...5782...
Fri May 3 10:09:18 EDT 2002
I'm a relative newbie to snort. I'm trying to write some rules that will
allow me to detect things like GNU httptunnel, corkscrew, ppp-in-telnet,
etc. I'm stuck on the first one.
One of the characteristics of GNU httptunnel is that it will open up a
simultaneous GET and POST between the client and the server. After having
looked at quite a few proxy logs, I think that this is a relatively unique
identification for GNU httptunnel. Here's a sample proxy log output for a
GNU httptunnel session:
xxx.xxx.xxx.xxx - - [ 3/May/2002:12:29:38 -0400] "GET http://server:1111/index.html HTTP/1.0" - - "-" "-"
xxx.xxx.xxx.xxx - - [ 3/May/2002:12:29:38 -0400] "POST http://server:1111/index.html HTTP/1.0" - - "-" "-"
I've read the Snort Users Manual. I've found the sections on
activate/dynamic rules and the tag option. I'm having a hard time
understanding how to effectively implement these features. I'm trying to
write rules that will do this:
1a) If you see client issue a GET to server, wait 1 second.
1b) If see client from 1a issue POST to server from 1a w/in the 1 second,
issue an alert.
2a) If you see client issue a POST to server, wait 1 second.
2b) If see client from 2a issue GET to server from 2a w/in the 1 second,
issue an alert.
It seems to me that I ought to be able to do something like this but I
can't seem to figure out how to use either activate/dynamic rules or tag's
to implement it.
Anyone have some suggestions?
P.S. I'm not subscribed to the list. I would appreciate if you would cc:
me on any responses. Thanks.
More information about the Snort-users