detecting http-tunnel traffic

[Derya Sezen <funky () gsu linux org tr>]

Hi,

Using the libpcap, i wrote a sniffer for HTTP. By fetching the
information i get in application layer(HTTP protocol), i wanna add rules
to snort which detects the packets i want. I'm interested in HTTP-tunnel
packets. For this, i analysed the traffic when i try to access the sites
like go.icq.com , game.yahoo.com , which uses java based applets(but
there is also crypted traffic) How can i detect the http-tunnel traffic
made by such sites?

thanx

funky
Istanbul




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users