Threat Research

Extracting ‘HTTP CONNECT’ Requests with Python

Securonix

Two-sentence summary: The article describes using a Python script to extract and summarize HTTP CONNECT requests from PCAPs captured at a honeypot, illustrating how such traffic can reveal proxy-based tunneling activity. It also notes that larger datasets may be better analyzed with Zeek, and that HTTP CONNECT traffic has surged in recent days. #HTTP_CONNECT #Honeypot #Proxy #Zeek #Python #PCAP

Keypoints

  • PCAP analysis was used to quantify HTTP CONNECT requests observed at a honeypot, providing a scalable view of traffic patterns.
  • The alerts originated from a DShield honeypot and were not fully visible in standard web honeypot logs, prompting deeper PCAP investigation.
  • A Python script (using Scapy) processes PCAPs to extract HTTP CONNECT events, save details to CSV, and print a summary (source IPs, destination ports, paths, and hosts).
  • Historic processing against six months of PCAPs took over a day, suggesting Zeek or similar tools may be faster for larger datasets.
  • Recent HTTP CONNECT activity showed a noticeable uptick within the current month and particularly in the last week.
  • Top destination ports and observed paths indicate proxy-like usage, with many requests directed at port 443 and various suspicious domains.

MITRE Techniques

  • [T1071.001] Web Protocols – Used to open connections via proxy servers; β€˜HTTP CONNECT requests are often used with proxy servers to open a connection to a desired destination.’
  • [T1090] Proxy – The HTTP CONNECT requests may have been an attempt to relay traffic through the honeypot and hide the original source; β€˜The HTTP CONNECT requests may have been an attempt to relay traffic through the honeypot and hide the original source of the request. It is also possible that the traffic may have been funneled through multiple proxy endpoints to make identification of the source difficult to identify.’

Indicators of Compromise

  • [IP] Source IP addresses observed in HTTP CONNECT traffic – 142.202.242.113, 69.30.246.66, and others
  • [Domain] HTTP CONNECT path domains observed – 28sex.com, beo555.co
  • [Port] HTTP CONNECT destination ports observed – 443, 27115

Read more: https://isc.sans.edu/diary/rss/29246

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint