Snort mailing list archives
Re: Detecting tunnels?
From: Chris Green <cmg () sourcefire com>
Date: Fri, 03 May 2002 15:50:13 -0400
Mark Horn <mark-dated-1023035667.a64897 () hornclan com> writes:
One of the characteristics of GNU httptunnel is that it will open up a simultaneous GET and POST between the client and the server. After having looked at quite a few proxy logs, I think that this is a relatively unique identification for GNU httptunnel. Here's a sample proxy log output for a GNU httptunnel session: xxx.xxx.xxx.xxx - - [ 3/May/2002:12:29:38 -0400] "GET http://server:1111/index.html HTTP/1.0" - - "-" "-" xxx.xxx.xxx.xxx - - [ 3/May/2002:12:29:38 -0400] "POST http://server:1111/index.html HTTP/1.0" - - "-" "-" 1a) If you see client issue a GET to server, wait 1 second. 1b) If see client from 1a issue POST to server from 1a w/in the 1 second, issue an alert. 2a) If you see client issue a POST to server, wait 1 second. 2b) If see client from 2a issue GET to server from 2a w/in the 1 second, issue an alert. Anyone have some suggestions?
There's no really good functionality to add this level of application level time delay finger printing. Providing the correct hooks for this will be an interesting challenge. We could use the prexisting tag type structure or perhaps we could have a per IP pair "metasession" tracker that is applied to every session. This IP<->IP tracker would contain information regarding singatures that the session has already set off. Hrm. Food for thought. Are there any other unique aspects of GNU http tunnel? -- Chris Green <cmg () sourcefire com> Eschew obfuscation. _______________________________________________________________ Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth () sourceforge net _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Detecting tunnels? Mark Horn (May 03)
- Re: Detecting tunnels? Chris Green (May 03)
- Re: Detecting tunnels? Mark Horn (May 05)
- Re: Detecting tunnels? Chris Green (May 03)