Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ET POLICY HTTP traffic on port 443 (POST)

    IDS/IPS
    3
    3
    4.6k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      keelingj
      last edited by

      Seeing a ton of blocked connections (95% of my Snort logs) from 54.215.136.238, which resolves to ec2-54-215-136-238.us-west-1.compute.amazonaws.com

      The alert generated is: ET POLICY HTTP traffic on port 443 (POST)

      Any idea what this could be?

      C2758 8-core Atom
      32GB ECC RAM
      100GB Intel DC S3700

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        This alert is basically saying "I saw unencrypted HTTP traffic travelling over a port generally reserved for HTTPS encrypted traffic".  It is more of a notification/warning as opposed to an alert about truly malicious activity.  You could safely disable that rule if you wish.

        Bill

        1 Reply Last reply Reply Quote 0
        • F
          fsansfil
          last edited by

          @bmeeks:

          You could safely disable that rule if you wish.

          Bear in mind that if you decide to allow HTTP traffic on 443, all the rules with $HTTP_PORTS wont be inspecting that traffic. Unless you add 443 to the $HTTP_PORTS variable, which will cause other false positive with some HTTPS inspection. In other word, the way alot of rules are made, HTTP, non encrypted traffic,  shouldnt be on 443

          F.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post