[Snort-sigs] rule for Non-SSL traffic on SSL port?
jasonb at ...435...
Fri Jun 23 20:53:05 EDT 2006
"grep -i ssl /path/to/vrt/rules/files" would be a good start
$ grep -i ssl * | wc
131 2642 39057
I'm thinking of something like this
alert tcp $HOMW_NET 443 -> $EXTERNAL_NET any (msg:"NON SSL response"; \
flow:established,to_client; sid:1000000; rev:1; )
This presumes that the client requesting data would not initiate with a
client hello so the response would not have client_hello set.
You might have to play with it a little but it should be possible.
Russell Fulton wrote:
> Hellman, Matthew wrote:
>> Thanks for you reply Russell. SSL/TLS is epitome of the double edged
>> sword;-) I realize that the "bad guy" can wrap his traffic in an SSL
>> tunnel. If we cared enough to spend big $$, there are enterprise proxy
>> solutions that can inspect SSL (by performing a MITM). This is simply an
>> effort to raise the bar a little bit...I'm trying to catch the "stupid
>> guy" and the "stupid bad guy";-) There are plenty of them.
> OK, I'm teaching my grandmother to suck eggs again :) It's one of the
> problems with these mailing lists you never know how much knowledge to
> poster has. Pleased to see you've taken it in good part :)
> So to answer your real question, no I don't know of any sigs for this
> but it should be doable without too much trouble. I'm guessing that you
> may need to set a flowbit on the SYN packet and then use it to find the
> first packet of the exchange which should have a recognisable format.
> I've never tried to do this myself.
> So, list: How does one write a set of rules that will look for
> something in the first packet of a TCP session to a particular port?
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs