Snort now blocking chisel #507
Comments
|
It’d be the websocket protocol header I think
…On Sat, 2 Mar 2024 at 9:42 AM bru73f0rc3 ***@***.***> wrote:
New Snort rule (https://www.snort.org/advisories/talos-rules-2024-02-20)
- 1:63050 <-> DISABLED <-> POLICY-OTHER Chisel proxy tunnel outbound
connection attempt (policy-other.rules)
I had a tunnel blocked at a customer, had them whitelist for now but if
anyone's taken a look at the rule, what is Chisel being blocked on? i would
guess the Chisel header which as far as i know, can't be changed from
command line (you can add headers, but if you try to "overwrite" one,
chisel fails to start).
—
Reply to this email directly, view it on GitHub
<#507>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAE2X4ZWVNCUUQIDHIEXNJLYWD745AVCNFSM6AAAAABECQRDXOVHI2DSMVQWIX3LMV43ASLTON2WKOZSGE3DIMZQGM3TEMI>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
|
Looks like it, pcap on server side shows: Request: Response: ..SSH-chisel-v3-server then a RST. (sometimes snort messes up and you also get the cipher negotiation and only then the RST) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
New Snort rule (https://www.snort.org/advisories/talos-rules-2024-02-20)
I had a tunnel blocked at a customer, had them whitelist for now but if anyone's taken a look at the rule, what is Chisel being blocked on? i would guess the Chisel header which as far as i know, can't be changed from command line (you can add headers, but if you try to "overwrite" one, chisel fails to start).
The text was updated successfully, but these errors were encountered: