I think these will do, any other known http ports we should
exclude past
8080?
#idea from Blake Hartstein, use these only if you like. Not
a definite
indication of hostile activity
#add a pass rule like below for any expected ports you use
that are not
listed
pass tcp $HOME_NET any -> $EXTERNAL_NET 8080
(msg:"BLEEDING-EDGE POLICY HTTP
GET on Normal Port 8080 - Passing";
flow:established,to
_server; content:"GET "; nocase; depth:4;
offset:0; flowbits:set,BS.HTTP.ok;
flowbits:noalert; classtype:policy-violation; sid:20064
07; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 81:65535
(msg:"BLEEDING-EDGE POLICY
HTTP GET on unusual Port -- Possibly Hostile";
flowbits
:isnotset,BS.HTTP.ok; flow:established,to_server;
content:"GET "; nocase;
depth:4; offset:0; classtype:policy-violation; sid:2006408
; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 81:65535
(msg:"BLEEDING-EDGE POLICY
HTTP POST on unusual Port -- Possibly Hostile";
flowbit
s:isnotset,BS.HTTP.ok; flow:established,to_server;
content:"POST "; nocase;
depth:5; offset:0; classtype:policy-violation; sid:20064
09; rev:1;)
Can a few folks test those before I commit them? I want to
be sure, these
could cause havok if not right. 
Matt
> -----Original Message-----
> From: bleeding-sigs-bounces bleedingthreats.net
> [mailto:bleeding-sigs-bouncesbleedingthreats.net] On
Behalf
> Of Matt Jonkman
> Sent: Thursday, July 19, 2007 11:34 AM
> To: 'Bleeding Sigs'
> Subject: RE: [Bleeding-sigs] Malicious HTTP Servers on
> non-standard ports
>
> I agree with you Blake, this would be an interesting
thing to
> do. I've put
> thought into it before, but it's a complicated thing.
>
> How do we detect that http is running on an off port?
We
> won't have uri
> normalization to rely on at that point either.
>
> We could run a set of rules that look for GET , POST ,
HEAD ,
> CONNECT , etc
> on off ports. Anchored to the beginning of a packet it
ought to be
> relatively low load.
>
> I think we'll be surprised by the number of http
connections
> running on off
> ports. But it is worth a try.
>
> Anyone have other thoughts?
>
> Matt
>
> > -----Original Message-----
> > From: bleeding-sigs-bouncesbleedingthreats.net
> > [mailto:bleeding-sigs-bouncesbleedingthreats.net] On Behalf
> > Of Blake Hartstein
> > Sent: Thursday, July 19, 2007 1:55 AM
> > To: Bleeding Sigs
> > Subject: [Bleeding-sigs] Malicious HTTP Servers on
> non-standard ports
> >
> > Strict firewall rules seem to be more reasonable
to prevent
> > this type of
> > traffic instead of alerting at the IDS, what are
your
> > thoughts on this
> > topic? In this case the malware is downloading
from a remote IIS
> > Server/6.0 on tcp/4099.
> >
> > There are often servers that use non-standard
ports in order
> > to download
> > malcode. However, other programs also use the
protocols in question
> > (HTTP) and a legitimate server might use a
non-standard port.
> >
> > If you see an external HTTP server on a
non-standard port,
> how likely
> > would you consider it a threat, and do you think
it's
> valuable to see
> > servers which are running on non-standard ports?
> >
> > --
> > Blake Hartstein
> >
> > _______________________________________________
> > Bleeding-sigs mailing list
> > Bleeding-sigsbleedingthreats.net
> > http://lists.bleedingthreats.net/cgi-bin/mailman/l
istinfo/blee
> ding-sigs
> >
>
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigsbleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/mailman/l
istinfo/blee
> ding-sigs
>
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigsbleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/
mailman/listinfo/bleeding-sigs
|
