Snort now blocking chisel
bru73f0rc3 opened this issue · comments
New Snort rule (https://www.snort.org/advisories/talos-rules-2024-02-20)
- 1:63050 <-> DISABLED <-> POLICY-OTHER Chisel proxy tunnel outbound connection attempt (policy-other.rules)
I had a tunnel blocked at a customer, had them whitelist for now but if anyone's taken a look at the rule, what is Chisel being blocked on? i would guess the Chisel header which as far as i know, can't be changed from command line (you can add headers, but if you try to "overwrite" one, chisel fails to start).
Looks like it, pcap on server side shows:
Request:
GET / HTTP/1.1
Host: host:80
User-Agent: Go-http-client/1.1
Connection: Upgrade
Sec-WebSocket-Key: xxx
Sec-WebSocket-Protocol: chisel-v3
Sec-WebSocket-Version: 13
Upgrade: websocket
Response:
HTTP/1.1 101 Switching Protocols
Upgrade: websocket
Connection: Upgrade
Sec-WebSocket-Accept: xxx
..SSH-chisel-v3-server
then a RST. (sometimes snort messes up and you also get the cipher negotiation and only then the RST)