Snort mailing list archives

Re: Detecting tunnels?

From: Chris Green <cmg () sourcefire com>
Date: Fri, 03 May 2002 15:50:13 -0400

Mark Horn <mark-dated-1023035667.a64897 () hornclan com> writes:

One of the characteristics of GNU httptunnel is that it will open up a
simultaneous GET and POST between the client and the server.  After having
looked at quite a few proxy logs, I think that this is a relatively unique
identification for GNU httptunnel.  Here's a sample proxy log output for a
GNU httptunnel session:

xxx.xxx.xxx.xxx - - [ 3/May/2002:12:29:38 -0400] "GET http://server:1111/index.html HTTP/1.0" - - "-" "-"
xxx.xxx.xxx.xxx - - [ 3/May/2002:12:29:38 -0400] "POST http://server:1111/index.html HTTP/1.0" - - "-" "-"

1a) If you see client issue a GET to server, wait 1 second.  
1b) If see client from 1a issue POST to server from 1a w/in the 1 second,
issue an alert.

2a) If you see client issue a POST to server, wait 1 second.  
2b) If see client from 2a issue GET to server from 2a w/in the 1 second,
issue an alert.

Anyone have some suggestions?


There's no really good functionality to add this level of application
level time delay finger printing.  Providing the correct hooks for
this will be an interesting challenge.  We could use the prexisting
tag type structure or perhaps we could have a per IP pair
"metasession" tracker that is applied to every session.  This IP<->IP
tracker would contain information regarding singatures that the
session has already set off.

Hrm. Food for thought.

Are there any other unique aspects of GNU http tunnel? 
-- 
Chris Green <cmg () sourcefire com>
Eschew obfuscation.

_______________________________________________________________

Have big pipes? SourceForge.net is looking for download mirrors. We supply
the hardware. You get the recognition. Email Us: bandwidth () sourceforge net
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Detecting tunnels? Mark Horn (May 03)
- Re: Detecting tunnels? Chris Green (May 03)
  - Re: Detecting tunnels? Mark Horn (May 05)