Snort now blocking chisel

[bru73f0rc3]

New Snort rule (https://www.snort.org/advisories/talos-rules-2024-02-20)

• 1:63050 <-> DISABLED <-> POLICY-OTHER Chisel proxy tunnel outbound connection attempt (policy-other.rules)

I had a tunnel blocked at a customer, had them whitelist for now but if anyone's taken a look at the rule, what is Chisel being blocked on? i would guess the Chisel header which as far as i know, can't be changed from command line (you can add headers, but if you try to "overwrite" one, chisel fails to start).

[jpillora]

It’d be the websocket protocol header I think

On Sat, 2 Mar 2024 at 9:42 AM bru73f0rc3 @.***> wrote:

New Snort rule (https://www.snort.org/advisories/talos-rules-2024-02-20)

• 1:63050 <-> DISABLED <-> POLICY-OTHER Chisel proxy tunnel outbound connection attempt (policy-other.rules)

I had a tunnel blocked at a customer, had them whitelist for now but if anyone's taken a look at the rule, what is Chisel being blocked on? i would guess the Chisel header which as far as i know, can't be changed from command line (you can add headers, but if you try to "overwrite" one, chisel fails to start).

— Reply to this email directly, view it on GitHub https://github.com/jpillora/chisel/issues/507, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAE2X4ZWVNCUUQIDHIEXNJLYWD745AVCNFSM6AAAAABECQRDXOVHI2DSMVQWIX3LMV43ASLTON2WKOZSGE3DIMZQGM3TEMI . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[bru73f0rc3]

Looks like it, pcap on server side shows:

Request: GET / HTTP/1.1 Host: host:80 User-Agent: Go-http-client/1.1 Connection: Upgrade Sec-WebSocket-Key: xxx Sec-WebSocket-Protocol: chisel-v3 Sec-WebSocket-Version: 13 Upgrade: websocket

Response: HTTP/1.1 101 Switching Protocols Upgrade: websocket Connection: Upgrade Sec-WebSocket-Accept: xxx

..SSH-chisel-v3-server

then a RST. (sometimes snort messes up and you also get the cipher negotiation and only then the RST)