|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Chris Green (cmg
sourcefire.com)Date: Fri May 03 2002 - 14:50:13 CDT
Mark Horn <mark-dated-1023035667.a64897hornclan.com> writes:
> One of the characteristics of GNU httptunnel is that it will open up a
> simultaneous GET and POST between the client and the server. After having
> looked at quite a few proxy logs, I think that this is a relatively unique
> identification for GNU httptunnel. Here's a sample proxy log output for a
> GNU httptunnel session:
>
> xxx.xxx.xxx.xxx - - [ 3/May/2002:12:29:38 -0400] "GET http://server:1111/index.html HTTP/1.0" - - "-" "-"
> xxx.xxx.xxx.xxx - - [ 3/May/2002:12:29:38 -0400] "POST http://server:1111/index.html HTTP/1.0" - - "-" "-"
>
> 1a) If you see client issue a GET to server, wait 1 second.
> 1b) If see client from 1a issue POST to server from 1a w/in the 1 second,
> issue an alert.
>
> 2a) If you see client issue a POST to server, wait 1 second.
> 2b) If see client from 2a issue GET to server from 2a w/in the 1 second,
> issue an alert.
>
> Anyone have some suggestions?
There's no really good functionality to add this level of application
level time delay finger printing. Providing the correct hooks for
this will be an interesting challenge. We could use the prexisting
tag type structure or perhaps we could have a per IP pair
"metasession" tracker that is applied to every session. This IP<->IP
tracker would contain information regarding singatures that the
session has already set off.
Hrm. Food for thought.
Are there any other unique aspects of GNU http tunnel?
-- Chris Green <cmg_______________________________________________________________
Have big pipes? SourceForge.net is looking for download mirrors. We supply the hardware. You get the recognition. Email Us: bandwidth
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]