[Snort-sigs] sslbomb DoS sigs (MS04-011; s21sec)

Mike Pomraning mjp-snortsigs at ...1399...
Thu Apr 15 11:13:08 EDT 2004


These will catch the specific exploit referenced in the first ``url''
reference field of each sig (but not general exploitation of the
vulnerability).  Modify $SSL_PORTS as needed -- https, secure mail, etc.

alert tcp $EXTERNAL_NET any -> $HOME_NET $SSL_PORTS (msg:"DOS sslbomb Client
Hello"; content:"|66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66 66
66 66 66 66 66 66 66 66|"; offset:15; depth: 43; classtype:attempted-dos;
reference:url,www.k-otik.com/exploits/04142004.sslbomb.c.php;
reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.aspx;
reference:cve,CAN-2004-0120; sid:987654321; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET $SSL_PORTS (msg:"DOS sslbomb Hello
Key Exchange"; content:"|03 B8 01 00 03 B4 00 03 B1 00 03 AE 30 82|";
offest:3; depth: 17; content:"S21sec1"; content:"www.wasahero.org";
distance:5; depth:210; flow:to_server,established; classtype:attempted-dos;
reference:url,www.k-otik.com/exploits/04142004.sslbomb.c.php;
reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.aspx;
reference:cve,CAN-2004-0120; sid:123456789; rev:1;)

Regards,
Mike
-- 
Michael J. Pomraning, CISSP
Project Manager, Infrastructure
SecurePipe, Inc. - Managed Internet Security




More information about the Snort-sigs mailing list