One of our customers wanted the ability to more easily detect unauthorized Web application usage. During the development of the LogRhythm Network Monitor, we found a way to accomplish this very easily. We wrote an AIE rule that looks for HTTP traffic which doesn’t use a common HTTP destination port.
In this case we were able to use a single “log observed” rule block looking for the impacted applications HTTP and HTTPS where the impacted TCP port is not 80 or 443. Depending on your environment, you may need to use a field other than the Impacted Application field.
Our client runs a custom web application on TCP port 8080 so we added an exclude filter for it, and then discovered after a few minutes that some HTTP responses were being parsed in reverse and it became necessary to exclude logs where the origin port is 80 or 443.
We set the “Group By” field to Hostname (Impacted), Hostname (Origin), TCP/UDP Port (Impacted), and Impacted Application to return as much data as possible. This allows our customer to alarm or report on unauthorized web application traffic as necessary.