[Snort-users] anomalous http server

Matt Kettler mkettler at ...4108...
Wed Feb 18 08:02:14 EST 2004


At 11:07 PM 2/17/2004, cc wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hi
>
>Pardon my ignorance, but can someone please explain to me this
>particular signature?   My understanding of it is that it detects
>any HTTP traffic on non HTTP ports(by which I'm assuming 80 and
>the HTTPS port).  But since the client's port is never 80, then
>it basically tags all information that's being sent from the
>client and sent from the http server(port 80) to the client's
>browser(port != 80).
>
>Any clarifications appreciated

Theoretically speaking (I've not examined the code) client traffic should 
be ignored. Are you seeing FP cases?

It's VERY easy within snort to know wether traffic is from a server or a 
client with respect to the TCP handshake sequence.

It's also easy to tell the difference between a HTTP server response, and a 
HTTP client request based on looking at the data stream alone. The strings 
generated are very different. Servers don't generate "GET" or "POST" 
requests, clients do. Servers answer them.

Thus a server can be detected by something like: "if a packet containing 
what looks like a HTTP GET or POST request is sent to a port which did not 
originate the TCP handshake and an answer is generated, the answering port 
is probably a HTTP server". From there, just add on "if the answering port 
is not 80, 443 (https), or 8080, it's probably an anomalous server".




   





More information about the Snort-users mailing list