IPS misuse of port 80

Answered Question
May 19th, 2007

what signature catches the misuse of port 80 ?

I have this problem too.
0 votes
Correct Answer by hoogen_82 about 9 years 5 months ago

The HTTP Inspection engine feature allows users to detect and prohibit HTTP connections?such as tunneling over port 80, unauthorized request methods, and non-HTTP compliant file transfers.

This gives better idea for IOS based IPS



Do rate if this post helps :)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Rodrigo Gurriti Sat, 05/19/2007 - 10:16

Well I really meant the IPS Appliances not the router IPS

I wanted to stop some p2p trafficking using a ips 4215

hoogen_82 Mon, 05/21/2007 - 03:24


I kind of tried looking around for a solution for your problem the only thing I seem to come up with is Custom signature.

I picked up something for Kazaa a p2p application. THe first thing is that you need to capture those packets using ethereal or any packet sniffer tools. Pick up a sample traffic. Look for something in the traffic sample that will identify the Kazaa application.

Signature identify key parts of the traffic which wouldn't change. For Kazaa the payload seems to have the same last 6 bytes in multiple captures.

Traffic characteristics, usually an UDP packet, Payload always ends with the same 6 bytes, payload ends in "kazaa" followed by null (ox00)

Custom Signature Settings

- Engine: ATOMIC.IP

- L4 Protocol of UDP

- Payload Regex: [Kk][Aa][Zz][Aa][Aa]\x00

Create a custom signature based on this:

In event action you could ask for a Produce Verbose alert. Specify the Layer 4 protocol. Use the Payload inspection to specify the regex.

Leave the signature turned on for atleast a week or two. And check for results.

But you have pre-defined signatures too for p2p traffic clients like

Kazaa 5534 sub sig id 0,1,&2.

Bittorent 11020,11030.

edonkey 11018.

MOst engines doing this inspection would be string.tcp or atomic.ip.

You can search your signature details in this site and then tune the signature to deny the connection inline.




Do rate helpful posts :)

Rodrigo Gurriti Mon, 05/21/2007 - 14:54

Hey man Thanks for all the help !!! I found the answer... the signature 12674 does stop non-http traffic.

But I'll keep in mind the custom atomic signatures, they are very handy .

Thanks for your help !


This Discussion