Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: anomalous http server

From: Matt Kettler <mkettler () evi-inc com>
Date: Wed, 18 Feb 2004 11:00:16 -0500
At 11:07 PM 2/17/2004, cc wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi

Pardon my ignorance, but can someone please explain to me this
particular signature?   My understanding of it is that it detects
any HTTP traffic on non HTTP ports(by which I'm assuming 80 and
the HTTPS port).  But since the client's port is never 80, then
it basically tags all information that's being sent from the
client and sent from the http server(port 80) to the client's
browser(port != 80).

Any clarifications appreciated
Theoretically speaking (I've not examined the code) client traffic should be ignored. Are you seeing FP cases?
It's VERY easy within snort to know wether traffic is from a server or a client with respect to the TCP handshake sequence.
It's also easy to tell the difference between a HTTP server response, and a HTTP client request based on looking at the data stream alone. The strings generated are very different. Servers don't generate "GET" or "POST" requests, clients do. Servers answer them.
Thus a server can be detected by something like: "if a packet containing what looks like a HTTP GET or POST request is sent to a port which did not originate the TCP handshake and an answer is generated, the answering port is probably a HTTP server". From there, just add on "if the answering port is not 80, 443 (https), or 8080, it's probably an anomalous server". 







-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: