-
-
Save defensivedepth/fd33cc6e7bbd8826ce7e4b27c4841aec to your computer and use it in GitHub Desktop.
| # Security Onion 2 - Hunt query for HTTP over non-HTTP ports grouped by port, http method, virtual host, uri & user agent | |
| event.dataset:http AND NOT destination.port: "80" AND NOT destination.port: "8080" | groupby destination.port http.method http.virtual_host http.uri http.useragent |
Great point! However, the two network metadata generators used in SO2 (Zeek & Suricata) take care of that specific issue during their protocol analysis - the event.dataset: http category is tied to the traffic that they have analyzed as http (this is why if dig deeper, you dont see the initial TLS/SSL handshake in any traffic tagged as event.dataset: http)
Hmm, thanks for the explanation. I’ll have have to take a look at why this rule is hitting on Zscaler Private Access initial connections on 443.
Looks like it may initially be doing an HTTP CONNECT over 443 - https://help.zscaler.com/zia/what-proxy-mode
...sends the HTTP CONNECT method request directly to the ZIA Public Service Edge, before it initiates the SSL handshake
This is not part of a standard TLS/SSL handshake, so it is being classified as HTTP traffic, which is why you are seeing it show up.
The good news is - you have learned something new about your network! :)
Thanks for looking helping me figure it out!
np! Defenders have to stick together! :)
Also, had help from the team to find that zscaler link, wasn't just me.
It should be
because initial TLS/SSL connections (destination.port=443) begin in clear-text.