Detecting Data Obfuscation: Protocol Impersonation
Objective
Attackers may try to impersonate a legitimate protocol in order to disguise C&C communication and bypass network filtering (T1001:003).
Using the protocol classification, this global rule blocks all traffic that has a mismatch between the HTTP protocol and its standard destination port 80.
Note
Similar rules can also be created for other protocols such as HTTPS, SSH, etc.
Creating the Rule
Configure a global rule that drops all non-HTTP traffic to destination port 80 and generates a warning.
The following table shows the required rule settings:
Rule |
Source |
Destination |
Conditions |
Actions |
---|---|---|---|---|
|
|
Classification |
Log: |
For detailed instructions on how to create a rule, refer to Creating Global Rules.
Click the APPLY CHANGES button at the top of the menu bar to activate your configuration changes.
Result
HTTP impersonation attempts are discovered and blocked.