[Snort-sigs] rule for Non-SSL traffic on SSL port?

Russell Fulton r.fulton at ...575...
Fri Jun 23 19:16:52 EDT 2006



Hellman, Matthew wrote:

> Thanks for you reply Russell.  SSL/TLS is epitome of the double edged
> sword;-)  I realize that the "bad guy" can wrap his traffic in an SSL
> tunnel.  If we cared enough to spend big $$, there are enterprise proxy
> solutions that can inspect SSL (by performing a MITM). This is simply an
> effort to raise the bar a little bit...I'm trying to catch the "stupid
> guy" and the "stupid bad guy";-)  There are plenty of them.
>
OK, I'm teaching my grandmother to suck eggs again :)  It's one of the
problems with these mailing lists you never know how much knowledge to
poster has.  Pleased to see you've taken it in good part :)

So to answer your real question, no I don't know of any sigs for this
but it should be doable without too much trouble.  I'm guessing that you
may need to set a flowbit on the SYN packet and then use it to find the
first packet of the exchange which should have a recognisable format.
I've never tried to do this myself.

So, list:  How does one write a set of rules that will look for
something in the first packet of a TCP session to a particular port?

Russell




More information about the Snort-sigs mailing list