(http_inspect) source and destination ports are all 80



  • We got a SG-8860-IU
    mirrored our WAN port
    connected to the WAN interface of the SG-8860-IU
    LAN is connected to production network for managing the device
    Installed the Snort package, followed the configuration guide
    All I see is (http_inspect) source and destination port is 80 matched with random source and destination ports
    Ran a few penetration testing tools and hit our internet facing IPs, it does not show up in the alerts tab
    What did I miss?



  • First I would check if Snort actually see HTTP Port 80 traffic and in which direction.

    Rune these two custom rules just to make sure the traffic is inspected/seen

    alert tcp $EXTERNAL_NET 80 -> $HOME_NET [1024:] (msg:"Incoming HTTP Port 80 Traffic"; metadata:service http; classtype:policy-violation; sid:72171001; rev:1;)
    alert tcp $HOME_NET [1024:] -> $EXTERNAL_NET 80 (msg:"Outgoing HTTP Port 80 Traffic"; metadata:service http; classtype:policy-violation; sid:72171002; rev:1;)
    

    You can even test AppID with this rule

    alert tcp $EXTERNAL_NET 80 <> $HOME_NET [1024:] (msg:"appID HTTP On Known Port"; appid: http; classtype:policy-violation; sid:72171002; rev:1;)
    

    If these rules triggers when surfing HTTP, not encrypted traffic on port 80, then everything is working…if not, maybe your EXTERNAL, HOME, or HTTP port arent set properly..

    F.


Log in to reply