Re: port 443 in HTTP port variable list

[Harley H <bobb.harley () gmail com>]

I don't think the host attribute table would apply to outbound malware C2
though.

On Fri, Jul 10, 2015 at 1:36 PM, Jefferson, Shawn <
Shawn.Jefferson () bcferries com> wrote:

> Do you use the Hosts Attribute Table feature of Snort?  If so, having
> mixed traffic like that (as far as I know on current versions) will break
> things, and Snort will not inspect some of the traffic you’d want it to.
> In my case, it was HTTPS traffic on an HTTP port (discovered by the hosts
> attribute system), even though those ports were listed in the pre-processor
> configuration.
>
>
>
> *From:* Harley H [mailto:bobb.harley () gmail com]
> *Sent:* July 10, 2015 10:05 AM
> *To:* waldo kitty
> *Cc:* snort-users () lists sourceforge net
> *Subject:* Re: [Snort-users] port 443 in HTTP port variable list
>
>
>
> I totally agree. I'm hoping to get a gauge as to whether it's common
> practice to add port 443 to the list. And, if it is common practice, would
> it be possible to add it to the default list? Alternatively, if it is not
> common practice, perhaps it should be.
>
>
>
>
>
> On Fri, Jul 10, 2015 at 12:41 PM, waldo kitty <wkitty42 () windstream net>
> wrote:
>
> On 07/10/2015 11:36 AM, Harley H wrote:
> > Have many of you added port 443 to the HTTP port variable? I see a lot of
> > malware using plaintext HTTP over port 443 and am wondering if it's
> regular
> > practice to add port 443 to the list.
>
> if you are seeing plain text traffic over port 443, then someone or
> something is
> co-opting the fact that you are allowing that port inbound and/or outbound
> access... P2P, some music/video streaming apps and malware are coded to
> specifically get around network administrative restrictions...
>
> as each network is different, if you are seeing plain text traffic on 443,
> then
> yes, i would add it to your "portvar HTTP_PORTS" list as well as the list
> of
> ports the http preprocessor uses... not doing so is letting that traffic
> pass
> without inspection and you could be allowing compromised data out or
> (other)
> malware in...
>
> just like with having sex, an unprotected access point is a point of
> possible
> infiltration, infestation and compromise ;)
>
> --
>   NOTE: No off-list assistance is given without prior approval.
>         *Please keep mailing list traffic on the list* unless
>         private contact is specifically requested and granted.
>
>
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!