[Snort-sigs] SSL Initiation Rule

Y M snort at ...3751...
Fri May 15 05:39:27 EDT 2015

Comments Below.

Date: Wed, 13 May 2015 16:39:45 +0100
From: steven.j.tonge at ...2420...
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] SSL Initiation Rule

>I’ve been trying to write a rule to alert on SSL connection initiations on all ports:
>alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”SSL connection initiated.”; content:”|16|”; depth:1; content:”|01|”: depth:1; offset:5; sid:1000000001;)
>which should match the content:
>16 03 00 00 54 01 00 00 50 03 00 55 53 32 FA FE  ....T...P..US2..
>--             --
Was Snort able to run with the above rules, or may just typos? looking at it the rule it seems that you are using a ":" instead of ";" after the second content match and before the following depth keyword.

>For SSLv3 and TLSv1 connections. I tried to test it with a simple get HTTPS get request and after failing to match, I wrote a more general rule:
>alert tcp any any <> any any (msg:”General SSL Alert.”; sid:1000000002;)
>Testing this with a pcap of a HTTPS transaction, I find it matching on most of the packets but not on the client side initiation ones, Client Hello, Client Key Exchange, etc.
>Any ideas as to what’s missing?
I tested the rule above with a Client Hello and it seems to trigger fine. That said, you may also want to take a look the ssl rules keywords for rules: http://manual.snort.org/node17.html#SECTION003214300000000000000


One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

Please visit http://blog.snort.org for the latest news about Snort! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20150515/603b6f77/attachment.html>

More information about the Snort-sigs mailing list