Intrusion Prevention

unknown_http_tunnelling

Description

This signature is to detect unknown binary connection tunnelling on port 80. Normally, HTTP access is open on the firewall. Attackers could tunnel non-HTTP traffic on port 80 to evade firewall policy control.
The signature is disabled by default, because some "legal" applications could use an HTTP tunnel as their protocol channel and do not necessarily follow the HTTP protocol. HTTP tunnelling is also commonly used in IM and P2P applications.

Affected Products

N/A

Impact

Firewall policy avoidance

Recommended Actions

The signature can be set to "Block" if this type of traffic is against the network policy.
Monitor the traffic from that network for any suspicious activity if required.

Coverage

IPS (Regular DB)
IPS (Extended DB)

Version Updates

Date	Version	Status	Detail
2023-11-16	26.679	Removed

ID	107347981
Created	Sep 11, 2006
Updated	Nov 15, 2023
Risk
Default Action	Unavailable
Active
Profile Type	Permission/Privilege/Access Control

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

Intrusion Prevention

unknown_http_tunnelling

Description

Affected Products

Impact

Recommended Actions

Coverage

Version Updates

Research Center

Services

Protect

Detect

Respond

Recover

Identify

Network Security

Cloud & Application Security

Endpoint Security

Security Operations

Threat Intelligence Center

Support Center

Resource Center

About

Intrusion Prevention

unknown_http_tunnelling

Description

Affected Products

Impact

Recommended Actions

Coverage

Version Updates

Threat Intelligence
Center