To improve security and reduce bandwidth usage, it is essential to ensure that only authorized web servers are running on the network.
HTTP traffic is easy to detect; write a rule to identify it and log the packets to determine the port and IP of the offending server.
HTTP traffic is easily identifiable. The following list covers most HTTP commands:
So a rule that detects these commands will record all HTTP traffic. Obviously you won't want to record any traffic that is going to and from legitimate HTTP servers, so the rule should be written to exclude these. For example, the following example will detect any GET command to any machine that isn't the web server on 192.168.0.8:
var WEBSERVER 192.168.0.8 alert tcp any any -> !WEBSERVER any ( content: "GET"; msg: "Detected HTTP GET";
Creating a Reactive IDS
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance