[Snort-sigs] rule for Non-SSL traffic on SSL port?

Lorine Ruotolo lori.ruotolo at ...12...
Tue Jun 20 12:05:19 EDT 2006

My solution to any situation like this would be to do a packet capture of a 
regular SSL conversation and then of a non-SSL connection over the SSL port 
doing the same thing.

Look at the packets in the two conversations and see if there is any true 
indicator to write a signature with to check for non-SLL over port 443.

There must be something in clear-text that would occur on the non-SSL that 
wouldn't occur over the true SSL connection.

>From: "Hellman, Matthew" <Hellman.Matthew at ...3235...>
>To: <snort-sigs at lists.sourceforge.net>
>Subject: [Snort-sigs] rule for Non-SSL traffic on SSL port?
>Date: Fri, 16 Jun 2006 07:53:04 -0500
>Moderator: 2nd try, this time as registered user.
>What I'm trying to accomplish can't be done with the commercial IPS we
>currently use. I don't know a lot about Snort, and thought I'd see if it
>might be up to the task.
>Basically, I'm looking for a solution to alert me when a session on TCP
>port 443 is not actually SSL. I want at most a single alarm per TCP
>session.  At a conceptual level, the solution would look for the SSL
>handshake early in a TCP session and alert if it was not seen. Or
>something like that anyway. Can this be done with Snort?
>-----Message Disclaimer-----
>This e-mail message is intended only for the use of the individual or
>entity to which it is addressed, and may contain information that is
>privileged, confidential and exempt from disclosure under applicable law.
>If you are not the intended recipient, any dissemination, distribution or
>copying of this communication is strictly prohibited. If you have
>received this communication in error, please notify us immediately by
>reply email to Connect at ...3235... and delete or destroy all copies of
>the original message and attachments thereto. Email sent to or from the
>Principal Financial Group or any of its member companies may be retained
>as required by law or regulation.
>Nothing in this message is intended to constitute an Electronic signature
>for purposes of the Uniform Electronic Transactions Act (UETA) or the
>Electronic Signatures in Global and National Commerce Act ("E-Sign")
>unless a specific statement to the contrary is included in this message.
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

Don’t just search. Find. Check out the new MSN Search! 

More information about the Snort-sigs mailing list