Recognizing HTTP Traffic on Unusual Ports

Table of contents:


To improve security and reduce bandwidth usage, it is essential to ensure that only authorized web servers are running on the network.


HTTP traffic is easy to detect; write a rule to identify it and log the packets to determine the port and IP of the offending server.


HTTP traffic is easily identifiable. The following list covers most HTTP commands:

  • GET
  • HEAD
  • POST
  • PUT
  • trACE

So a rule that detects these commands will record all HTTP traffic. Obviously you won't want to record any traffic that is going to and from legitimate HTTP servers, so the rule should be written to exclude these. For example, the following example will detect any GET command to any machine that isn't the web server on


alert tcp any any -> !WEBSERVER any ( content: "GET"; msg: "Detected HTTP GET";


See Also

Recipe 7.1

Recipe 4.3

Creating a Reactive IDS

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance


Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167 © 2008-2020.
If you may any questions please contact us: