[Snort-sigs] Identifying Non-SSL traffic on port 443

Ray Van Dolson rvandolson at ...3497...
Thu May 20 01:58:18 EDT 2010


On Wed, May 19, 2010 at 10:19:00PM -0700, Ray Van Dolson wrote:
> I need some pointers on how to create a rule to identify non-SSL
> traffic on port 443.
> 
> I found this thread[1] from a few years back with some good ideas in
> it, but I'm figuring someone out there must have an already working
> rule set or something to add to the discussion there.

Thinking out loud here, but could one make use of the SSLPP pre
processor for this?

Something like:

  alert tcp [10.0.0.0/8] any -> [!10.0.0.0/8] 443 (ssl_state:unknown; sid:4; rev:1;)

?

Ray




More information about the Snort-sigs mailing list