Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    (http_inspect) source and destination ports are all 80

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 706 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      leenix66
      last edited by

      We got a SG-8860-IU
      mirrored our WAN port
      connected to the WAN interface of the SG-8860-IU
      LAN is connected to production network for managing the device
      Installed the Snort package, followed the configuration guide
      All I see is (http_inspect) source and destination port is 80 matched with random source and destination ports
      Ran a few penetration testing tools and hit our internet facing IPs, it does not show up in the alerts tab
      What did I miss?

      1 Reply Last reply Reply Quote 0
      • F
        fsansfil
        last edited by

        First I would check if Snort actually see HTTP Port 80 traffic and in which direction.

        Rune these two custom rules just to make sure the traffic is inspected/seen

        alert tcp $EXTERNAL_NET 80 -> $HOME_NET [1024:] (msg:"Incoming HTTP Port 80 Traffic"; metadata:service http; classtype:policy-violation; sid:72171001; rev:1;)
        alert tcp $HOME_NET [1024:] -> $EXTERNAL_NET 80 (msg:"Outgoing HTTP Port 80 Traffic"; metadata:service http; classtype:policy-violation; sid:72171002; rev:1;)
        

        You can even test AppID with this rule

        alert tcp $EXTERNAL_NET 80 <> $HOME_NET [1024:] (msg:"appID HTTP On Known Port"; appid: http; classtype:policy-violation; sid:72171002; rev:1;)
        

        If these rules triggers when surfing HTTP, not encrypted traffic on port 80, then everything is working…if not, maybe your EXTERNAL, HOME, or HTTP port arent set properly..

        F.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.