(http_inspect) source and destination ports are all 80
-
We got a SG-8860-IU
mirrored our WAN port
connected to the WAN interface of the SG-8860-IU
LAN is connected to production network for managing the device
Installed the Snort package, followed the configuration guide
All I see is (http_inspect) source and destination port is 80 matched with random source and destination ports
Ran a few penetration testing tools and hit our internet facing IPs, it does not show up in the alerts tab
What did I miss? -
First I would check if Snort actually see HTTP Port 80 traffic and in which direction.
Rune these two custom rules just to make sure the traffic is inspected/seen
alert tcp $EXTERNAL_NET 80 -> $HOME_NET [1024:] (msg:"Incoming HTTP Port 80 Traffic"; metadata:service http; classtype:policy-violation; sid:72171001; rev:1;) alert tcp $HOME_NET [1024:] -> $EXTERNAL_NET 80 (msg:"Outgoing HTTP Port 80 Traffic"; metadata:service http; classtype:policy-violation; sid:72171002; rev:1;)You can even test AppID with this rule
alert tcp $EXTERNAL_NET 80 <> $HOME_NET [1024:] (msg:"appID HTTP On Known Port"; appid: http; classtype:policy-violation; sid:72171002; rev:1;)If these rules triggers when surfing HTTP, not encrypted traffic on port 80, then everything is working…if not, maybe your EXTERNAL, HOME, or HTTP port arent set properly..
F.