Recognizing HTTP Traffic on Unusual Ports

Table of contents:

Problem

To improve security and reduce bandwidth usage, it is essential to ensure that only authorized web servers are running on the network.

Solution

HTTP traffic is easy to detect; write a rule to identify it and log the packets to determine the port and IP of the offending server.

Description

HTTP traffic is easily identifiable. The following list covers most HTTP commands:

  • OPTIONS
  • GET
  • HEAD
  • POST
  • PUT
  • DELETE
  • trACE
  • CONNECT

So a rule that detects these commands will record all HTTP traffic. Obviously you won't want to record any traffic that is going to and from legitimate HTTP servers, so the rule should be written to exclude these. For example, the following example will detect any GET command to any machine that isn't the web server on 192.168.0.8:

var WEBSERVER 192.168.0.8

alert tcp any any -> !WEBSERVER any ( content: "GET"; msg: "Detected HTTP GET";

 

See Also

Recipe 7.1

Recipe 4.3

Creating a Reactive IDS

Installing Snort from Source on Unix

Logging to a File Quickly

How to Build Rules

Detecting Stateless Attacks and Stream Reassembly

Managing Snort Sensors

Generating Statistical Output from Snort Logs

Monitoring Network Performance

Index



Snort Cookbook
Snort Cookbook
ISBN: 0596007914
EAN: 2147483647
Year: 2006
Pages: 167

Flylib.com © 2008-2020.
If you may any questions please contact us: flylib@qtcs.net