We do see more and more bots that use port 80 for their C&C channel. This will make these bots harder to detect. However, these are IRC servers, so its not that hard to distinguish them from HTTP traffic.
Couple tricks that may help:
alert tcp any any -> any 80 (msg:"irc traffic on port 80";I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022 |
Johannes 4472 Posts ISC Handler Nov 16th 2006 |
Thread locked Subscribe |
Nov 16th 2006 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!