[Snort-sigs] rule for Non-SSL traffic on SSL port?
r.fulton at ...575...
Fri Jun 23 19:16:52 EDT 2006
Hellman, Matthew wrote:
> Thanks for you reply Russell. SSL/TLS is epitome of the double edged
> sword;-) I realize that the "bad guy" can wrap his traffic in an SSL
> tunnel. If we cared enough to spend big $$, there are enterprise proxy
> solutions that can inspect SSL (by performing a MITM). This is simply an
> effort to raise the bar a little bit...I'm trying to catch the "stupid
> guy" and the "stupid bad guy";-) There are plenty of them.
OK, I'm teaching my grandmother to suck eggs again :) It's one of the
problems with these mailing lists you never know how much knowledge to
poster has. Pleased to see you've taken it in good part :)
So to answer your real question, no I don't know of any sigs for this
but it should be doable without too much trouble. I'm guessing that you
may need to set a flowbit on the SYN packet and then use it to find the
first packet of the exchange which should have a recognisable format.
I've never tried to do this myself.
So, list: How does one write a set of rules that will look for
something in the first packet of a TCP session to a particular port?
More information about the Snort-sigs