[Snort-sigs] rule for Non-SSL traffic on SSL port?

Hellman, Matthew Hellman.Matthew at ...3235...
Fri Jun 16 08:53:04 EDT 2006

Moderator: 2nd try, this time as registered user.

What I'm trying to accomplish can't be done with the commercial IPS we
currently use. I don't know a lot about Snort, and thought I'd see if it
might be up to the task.

Basically, I'm looking for a solution to alert me when a session on TCP
port 443 is not actually SSL. I want at most a single alarm per TCP
session.  At a conceptual level, the solution would look for the SSL
handshake early in a TCP session and alert if it was not seen. Or
something like that anyway. Can this be done with Snort?


-----Message Disclaimer-----

This e-mail message is intended only for the use of the individual or
entity to which it is addressed, and may contain information that is
privileged, confidential and exempt from disclosure under applicable law.
If you are not the intended recipient, any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify us immediately by
reply email to Connect at ...3235... and delete or destroy all copies of
the original message and attachments thereto. Email sent to or from the
Principal Financial Group or any of its member companies may be retained
as required by law or regulation.

Nothing in this message is intended to constitute an Electronic signature
for purposes of the Uniform Electronic Transactions Act (UETA) or the
Electronic Signatures in Global and National Commerce Act ("E-Sign")
unless a specific statement to the contrary is included in this message.

More information about the Snort-sigs mailing list