New Snort rule (https://www.snort.org/advisories/talos-rules-2024-02-20)

• 1:63050 <-> DISABLED <-> POLICY-OTHER Chisel proxy tunnel outbound connection attempt (policy-other.rules)

I had a tunnel blocked at a customer, had them whitelist for now but if anyone's taken a look at the rule, what is Chisel being blocked on? i would guess the Chisel header which as far as i know, can't be changed from command line (you can add headers, but if you try to "overwrite" one, chisel fails to start).

Looks like it, pcap on server side shows:

Request:
GET / HTTP/1.1
Host: host:80
User-Agent: Go-http-client/1.1
Connection: Upgrade
Sec-WebSocket-Key: xxx
Sec-WebSocket-Protocol: chisel-v3
Sec-WebSocket-Version: 13
Upgrade: websocket

Response:
HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: xxx

..SSH-chisel-v3-server

then a RST. (sometimes snort messes up and you also get the cipher negotiation and only then the RST)