Snort mailing list archives
Re: port 443 in HTTP port variable list
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Fri, 10 Jul 2015 11:36:57 -0600
Do you use the Hosts Attribute Table feature of Snort? If so, having mixed traffic like that (as far as I know on current versions) will break things, and Snort will not inspect some of the traffic you’d want it to. In my case, it was HTTPS traffic on an HTTP port (discovered by the hosts attribute system), even though those ports were listed in the pre-processor configuration. From: Harley H [mailto:bobb.harley () gmail com] Sent: July 10, 2015 10:05 AM To: waldo kitty Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] port 443 in HTTP port variable list I totally agree. I'm hoping to get a gauge as to whether it's common practice to add port 443 to the list. And, if it is common practice, would it be possible to add it to the default list? Alternatively, if it is not common practice, perhaps it should be. On Fri, Jul 10, 2015 at 12:41 PM, waldo kitty <wkitty42 () windstream net<mailto:wkitty42 () windstream net>> wrote: On 07/10/2015 11:36 AM, Harley H wrote:
Have many of you added port 443 to the HTTP port variable? I see a lot of malware using plaintext HTTP over port 443 and am wondering if it's regular practice to add port 443 to the list.
if you are seeing plain text traffic over port 443, then someone or something is co-opting the fact that you are allowing that port inbound and/or outbound access... P2P, some music/video streaming apps and malware are coded to specifically get around network administrative restrictions... as each network is different, if you are seeing plain text traffic on 443, then yes, i would add it to your "portvar HTTP_PORTS" list as well as the list of ports the http preprocessor uses... not doing so is letting that traffic pass without inspection and you could be allowing compromised data out or (other) malware in... just like with having sex, an unprotected access point is a point of possible infiltration, infestation and compromise ;) -- NOTE: No off-list assistance is given without prior approval. *Please keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Don't Limit Your Business. Reach for the Cloud. GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and focus on growing your business. Configured For All Businesses. Start Your Cloud Today. https://www.gigenetcloud.com/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- port 443 in HTTP port variable list Harley H (Jul 10)
- Re: port 443 in HTTP port variable list waldo kitty (Jul 10)
- Re: port 443 in HTTP port variable list Harley H (Jul 10)
- Re: port 443 in HTTP port variable list Jefferson, Shawn (Jul 10)
- Re: port 443 in HTTP port variable list Harley H (Jul 10)
- Re: port 443 in HTTP port variable list Jefferson, Shawn (Jul 10)
- Re: port 443 in HTTP port variable list Harley H (Jul 10)
- Re: port 443 in HTTP port variable list waldo kitty (Jul 10)