[Snort-users] Detecting tunnels?

Chris Green cmg at ...1935...
Fri May 3 13:57:04 EDT 2002

Mark Horn <mark-dated-1023035667.a64897 at ...5782...> writes:

> One of the characteristics of GNU httptunnel is that it will open up a
> simultaneous GET and POST between the client and the server.  After having
> looked at quite a few proxy logs, I think that this is a relatively unique
> identification for GNU httptunnel.  Here's a sample proxy log output for a
> GNU httptunnel session:
> xxx.xxx.xxx.xxx - - [ 3/May/2002:12:29:38 -0400] "GET http://server:1111/index.html HTTP/1.0" - - "-" "-"
> xxx.xxx.xxx.xxx - - [ 3/May/2002:12:29:38 -0400] "POST http://server:1111/index.html HTTP/1.0" - - "-" "-"
> 1a) If you see client issue a GET to server, wait 1 second.  
> 1b) If see client from 1a issue POST to server from 1a w/in the 1 second,
> issue an alert.
> 2a) If you see client issue a POST to server, wait 1 second.  
> 2b) If see client from 2a issue GET to server from 2a w/in the 1 second,
> issue an alert.
> Anyone have some suggestions?

There's no really good functionality to add this level of application
level time delay finger printing.  Providing the correct hooks for
this will be an interesting challenge.  We could use the prexisting
tag type structure or perhaps we could have a per IP pair
"metasession" tracker that is applied to every session.  This IP<->IP
tracker would contain information regarding singatures that the
session has already set off.

Hrm. Food for thought.

Are there any other unique aspects of GNU http tunnel? 
Chris Green <cmg at ...1935...>
Eschew obfuscation.

More information about the Snort-users mailing list