[Snort-devel] Bug in SSL preproc or doc update/clarification?

Will Metcalf william.metcalf at ...2499...
Wed May 23 13:26:24 EDT 2012


I was trying to come up with sigs to hit on a C&C that uses malformed
SSLv3 client hello followed by server data that does not contain an
SSL fatal alert of some kind.  For the sake simplicity below is a rule
I would expect to match on the fatal alert from the server in response
to a malformed client hello. Based on documentation in the snort
manual it seems this rule should fire with default snort.conf but it
doesn't on 2.9.2.3. Removing both "trustservers, noinspect_encrypted"
from the ssl preproc allows this rule to fire. Bug? Expected Behavior?
User Error? pcap available upon request....

Regards,

Will

#Manual Entry
"Typically, SSL is used over port 443 as HTTPS. By enabling the SSLPP
to inspect port 443 and enabling the noinspect_encrypted option, only
the SSL handshake of each connection will be inspected. Once the
traffic is determined to be encrypted, no further inspection of the
data on the connection is made.

By default, SSLPP looks for a handshake followed by encrypted traffic
traveling to both sides. If one side responds with an indication that
something has failed, such as the handshake, the session is not marked
as encrypted. Verifying that faultless encrypted traffic is sent from
both endpoints ensures two things: the last client-side handshake
packet was not crafted to evade Snort, and that the traffic is
legitimately encrypted. "

#Rule
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET BLAH SSL 3.0
Fatal Alert (Expected Behavior)"; flow:from_server,established;
content:"|15 03 00 00 02 02|"; depth:6; classtype:trojan-activity;
sid:6014637; rev:1;)

#Preproc setting and results.

#doesn't alert
preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801
7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912
7913 7914 7915 7916 7917 7918 7919 7920 }, trustservers,
noinspect_encrypted
preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801
7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912
7913 7914 7915 7916 7917 7918 7919 7920 }, noinspect_encrypted

#alerts
preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801
7802 7900 7901 7902 7903 7904 7905 7906 7907 7908 7909 7910 7911 7912
7913 7914 7915 7916 7917 7918 7919 7920 }




More information about the Snort-devel mailing list