[Snort-sigs] SSL Initiation Rule

Steven Tonge steven.j.tonge at ...2420...
Wed May 13 11:39:45 EDT 2015


Hi,

I’ve been trying to write a rule to alert on SSL connection initiations on
all ports:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”SSL connection
initiated.”; content:”|16|”; depth:1; content:”|01|”: depth:1; offset:5;
sid:1000000001;)

which should match the content:

16 03 00 00 54 01 00 00 50 03 00 55 53 32 FA FE  ....T...P..US2..
--             --

For SSLv3 and TLSv1 connections. I tried to test it with a simple get HTTPS
get request and after failing to match, I wrote a more general rule:

alert tcp any any <> any any (msg:”General SSL Alert.”; sid:1000000002;)

Testing this with a pcap of a HTTPS transaction, I find it matching on most
of the packets but not on the client side initiation ones, Client Hello,
Client Key Exchange, etc.

Any ideas as to what’s missing?

Thanks

Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150513/9c9c0afc/attachment.html>


More information about the Snort-sigs mailing list