Detecting Data Obfuscation: Protocol Impersonation

Objective

Attackers may try to impersonate a legitimate protocol in order to disguise C&C communication and bypass network filtering (T1001:003).

Using the protocol classification, this global rule blocks all traffic that has a mismatch between the HTTP protocol and its standard destination port 80.

Note

Similar rules can also be created for other protocols such as HTTPS, SSH, etc.

Creating the Rule

Configure a global rule that drops all non-HTTP traffic to destination port 80 and generates a warning.

The following table shows the required rule settings:

Rule	Source	Destination	Conditions	Actions
	Any	Any	Classification Excluded Applications/Protocols: http Layer 4 Port Destination Ports: 80	Log: Medium Final Action: Reject Traffic and Stop Processing

For detailed instructions on how to create a rule, refer to Creating Global Rules.

Click the APPLY CHANGES button at the top of the menu bar to activate your configuration changes.

Result

HTTP impersonation attempts are discovered and blocked.