Intrusion Prevention

unknown_http_tunnelling

Description

This signature is to detect unknown binary connection tunnelling on port 80. Normally, HTTP access is open on the firewall. Attackers could tunnel non-HTTP traffic on port 80 to evade firewall policy control.
The signature is disabled by default, because some "legal" applications could use an HTTP tunnel as their protocol channel and do not necessarily follow the HTTP protocol. HTTP tunnelling is also commonly used in IM and P2P applications.

Affected Products

N/A

Impact

Firewall policy avoidance

Recommended Actions

The signature can be set to "Block" if this type of traffic is against the network policy.
Monitor the traffic from that network for any suspicious activity if required.