This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

How do I define standard ports for http

Go to solution
DionStempfley
Occasional Contributor
Occasional Contributor

‎2022-06-30 10:14 AM

I decrypt traffic from my Palo Alto firewall and send it to a capture port.  The destination ports do not get changed, so Netwitness is setting some meta values that become kind of useless for us.

 

The parsers correctly handle the traffic as service = 80.  Every decrypted ssl session has the analysis.service = "http over non-standard port", analysis.service = "unknown service over ssl port", attack.technique = "non-standard port", risk.info = "http over non-standard port" .  I need to define port 443 as a standard port for service 80 and some I also get way of defining service 80 as being known for the ssl port (443).  

 

Where would this information be defined?

Dion Stempfley
Cybersecurity Analyst
Institute for Defense Analyses
0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
JohnSnider
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2022-06-30 11:37 AM

you will need to modify the associated app rules on the decoder and add in the 443 port to the http rules

nw60020       service = 80 && tcp.dstport = l-79,81-u && streams =2  (this is the http over non-standard port it's looking for service 80 (http) and tcp.dstport anything but 80)

so it would look like this:

nw60020       service = 80 && tcp.dstport = l-79,81-442,444-u && streams =2   (just add in the ranges do exclude 80 & 443 from the rule)

 

nw60165       service != 443 && tcp.dstport = 443 && streams = 2  (this is the "unknown service over ssl port", so  service not equal to 443 (https/ssl) but tcp.dstport = 443)

so it would look like this:

nw60165    service != 80,443 && tcp.dstport = 443 && streams = 2 (add in the service 80 is ok when tcp.dstport is 443)

View solution in original post

1 REPLY 1

Go to solution
JohnSnider
Trusted Contributor Trusted Contributor
Trusted Contributor

‎2022-06-30 11:37 AM

you will need to modify the associated app rules on the decoder and add in the 443 port to the http rules

nw60020       service = 80 && tcp.dstport = l-79,81-u && streams =2  (this is the http over non-standard port it's looking for service 80 (http) and tcp.dstport anything but 80)

so it would look like this:

nw60020       service = 80 && tcp.dstport = l-79,81-442,444-u && streams =2   (just add in the ranges do exclude 80 & 443 from the rule)

 

nw60165       service != 443 && tcp.dstport = 443 && streams = 2  (this is the "unknown service over ssl port", so  service not equal to 443 (https/ssl) but tcp.dstport = 443)

so it would look like this:

nw60165    service != 80,443 && tcp.dstport = 443 && streams = 2 (add in the service 80 is ok when tcp.dstport is 443)

© 2022 RSA Security LLC or its affiliates. All rights reserved.