[Snort-sigs] rule for Non-SSL traffic on SSL port?

Jason Brvenik jasonb at ...435...
Fri Jun 23 20:53:05 EDT 2006

"grep -i ssl /path/to/vrt/rules/files" would be a good start

$ grep -i ssl * | wc
     131    2642   39057

I'm thinking of something like this

alert tcp $HOMW_NET 443 -> $EXTERNAL_NET any (msg:"NON SSL response"; \
flowbits:isnotset,sslv2.client_hello.request; \
flowbits:isnotset,sslv3.client_hello.request; \
flowbits:isnotset,tlsv1.client_hello.request; \
flow:established,to_client; sid:1000000; rev:1; )

This presumes that the client requesting data would not initiate with a
client hello so the response would not have client_hello set.

You might have to play with it a little but it should be possible.

Russell Fulton wrote:
> Hellman, Matthew wrote:
>> Thanks for you reply Russell.  SSL/TLS is epitome of the double edged
>> sword;-)  I realize that the "bad guy" can wrap his traffic in an SSL
>> tunnel.  If we cared enough to spend big $$, there are enterprise proxy
>> solutions that can inspect SSL (by performing a MITM). This is simply an
>> effort to raise the bar a little bit...I'm trying to catch the "stupid
>> guy" and the "stupid bad guy";-)  There are plenty of them.
> OK, I'm teaching my grandmother to suck eggs again :)  It's one of the
> problems with these mailing lists you never know how much knowledge to
> poster has.  Pleased to see you've taken it in good part :)
> So to answer your real question, no I don't know of any sigs for this
> but it should be doable without too much trouble.  I'm guessing that you
> may need to set a flowbit on the SYN packet and then use it to find the
> first packet of the exchange which should have a recognisable format.
> I've never tried to do this myself.
> So, list:  How does one write a set of rules that will look for
> something in the first packet of a TCP session to a particular port?
> Russell
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs

More information about the Snort-sigs mailing list