Created
March 19, 2021 14:01
-
-
Save defensivedepth/fd33cc6e7bbd8826ce7e4b27c4841aec to your computer and use it in GitHub Desktop.
Security Onion 2 - Hunt query for HTTP over non-HTTP ports
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Security Onion 2 - Hunt query for HTTP over non-HTTP ports grouped by port, http method, virtual host, uri & user agent | |
| event.dataset:http AND NOT destination.port: "80" AND NOT destination.port: "8080" | groupby destination.port http.method http.virtual_host http.uri http.useragent |
Looks like it may initially be doing an HTTP CONNECT over 443 - https://help.zscaler.com/zia/what-proxy-mode
...sends the HTTP CONNECT method request directly to the ZIA Public Service Edge, before it initiates the SSL handshake
This is not part of a standard TLS/SSL handshake, so it is being classified as HTTP traffic, which is why you are seeing it show up.
The good news is - you have learned something new about your network! :)
Thanks for looking helping me figure it out!
np! Defenders have to stick together! :)
Also, had help from the team to find that zscaler link, wasn't just me.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hmm, thanks for the explanation. I’ll have have to take a look at why this rule is hitting on Zscaler Private Access initial connections on 443.