Re: port 443 in HTTP port variable list

[waldo kitty <wkitty42 () windstream net>]

On 07/10/2015 11:36 AM, Harley H wrote:
> Have many of you added port 443 to the HTTP port variable? I see a lot of
> malware using plaintext HTTP over port 443 and am wondering if it's regular
> practice to add port 443 to the list.

if you are seeing plain text traffic over port 443, then someone or something is 
co-opting the fact that you are allowing that port inbound and/or outbound 
access... P2P, some music/video streaming apps and malware are coded to 
specifically get around network administrative restrictions...

as each network is different, if you are seeing plain text traffic on 443, then 
yes, i would add it to your "portvar HTTP_PORTS" list as well as the list of 
ports the http preprocessor uses... not doing so is letting that traffic pass 
without inspection and you could be allowing compromised data out or (other) 
malware in...

just like with having sex, an unprotected access point is a point of possible 
infiltration, infestation and compromise ;)

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!