Recognizing HTTP Traffic on Unusual Ports
Problem
To improve security and reduce bandwidth usage, it is essential to ensure that only authorized web servers are running on the network.
Solution
HTTP traffic is easy to detect; write a rule to identify it and log the packets to determine the port and IP of the offending server.
Description
HTTP traffic is easily identifiable. The following list covers most HTTP commands:
- OPTIONS
- GET
- HEAD
- POST
- PUT
- DELETE
- trACE
- CONNECT
So a rule that detects these commands will record all HTTP traffic. Obviously you won't want to record any traffic that is going to and from legitimate HTTP servers, so the rule should be written to exclude these. For example, the following example will detect any GET command to any machine that isn't the web server on 192.168.0.8:
var WEBSERVER 192.168.0.8 alert tcp any any -> !WEBSERVER any ( content: "GET"; msg: "Detected HTTP GET";
See Also
Recipe 7.1
Recipe 4.3
Creating a Reactive IDS
|