Created
March 19, 2021 14:01
-
-
Save defensivedepth/fd33cc6e7bbd8826ce7e4b27c4841aec to your computer and use it in GitHub Desktop.
Security Onion 2 - Hunt query for HTTP over non-HTTP ports
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Security Onion 2 - Hunt query for HTTP over non-HTTP ports grouped by port, http method, virtual host, uri & user agent | |
| event.dataset:http AND NOT destination.port: "80" AND NOT destination.port: "8080" | groupby destination.port http.method http.virtual_host http.uri http.useragent |
Hmm, thanks for the explanation. I’ll have have to take a look at why this rule is hitting on Zscaler Private Access initial connections on 443.
Looks like it may initially be doing an HTTP CONNECT over 443 - https://help.zscaler.com/zia/what-proxy-mode
...sends the HTTP CONNECT method request directly to the ZIA Public Service Edge, before it initiates the SSL handshake
This is not part of a standard TLS/SSL handshake, so it is being classified as HTTP traffic, which is why you are seeing it show up.
The good news is - you have learned something new about your network! :)
Thanks for looking helping me figure it out!
np! Defenders have to stick together! :)
Also, had help from the team to find that zscaler link, wasn't just me.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@femaven
Great point! However, the two network metadata generators used in SO2 (Zeek & Suricata) take care of that specific issue during their protocol analysis - the
event.dataset: httpcategory is tied to the traffic that they have analyzed as http (this is why if dig deeper, you dont see the initial TLS/SSL handshake in any traffic tagged asevent.dataset: http)