[Snort-users] Writing custom rule for SSL 401 errors
sysop at ...6291...
Tue Aug 13 12:28:03 EDT 2002
I am trying to write a snort rule that sends an alert when someone gets a
401 "Authorization Required" error while using SSL. I have the non-SSL
rule working as such
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
RESPONSES Http Failed Authorization"; content: "HTTP/1.\
1 401 "; flags:A+; classtype:bad-unknown; sid:1000001; rev:1;)
It works fine, but with SSL encryption I am having trouble with the
"content" parameter. I guess if I knew what HTTP/1.1 401 looked like when
its encrypted, it would be a piece of cake.
Anyone have any insight on this? Thanks in advance.
Journey's End Internet/Computer Connection Inc
More information about the Snort-users