[Snort-users] detecting http-tunnel traffic

Derya Sezen funky at ...8796...
Sun Apr 20 16:15:08 EDT 2003


Using the libpcap, i wrote a sniffer for HTTP. By fetching the
information i get in application layer(HTTP protocol), i wanna add rules
to snort which detects the packets i want. I'm interested in HTTP-tunnel
packets. For this, i analysed the traffic when i try to access the sites
like go.icq.com , game.yahoo.com , which uses java based applets(but
there is also crypted traffic) How can i detect the http-tunnel traffic
made by such sites?



More information about the Snort-users mailing list