[Snort-users] Writing custom rule for SSL 401 errors

Hicks, John JHicks at ...5857...
Tue Aug 13 12:47:02 EDT 2002


why not just sniff the traffic on a session you create?

-----Original Message-----
From: Eric Joe [mailto:sysop at ...6291...]
Sent: Tuesday, August 13, 2002 2:24 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Writing custom rule for SSL 401 errors


Hello,
I am trying to write a snort rule that sends an alert when someone gets a
401 "Authorization Required" error while using SSL. I have the non-SSL
rule working as such
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
RESPONSES Http Failed Authorization"; content: "HTTP/1.\
1 401 "; flags:A+; classtype:bad-unknown; sid:1000001; rev:1;)

It works fine, but with SSL encryption I am having trouble with the
"content" parameter. I guess if I knew what HTTP/1.1 401  looked like when
its encrypted, it would be a piece of cake.
Anyone have any insight on this?  Thanks in advance.


-- 
Eric Joe
Network Operations
Journey's End Internet/Computer Connection Inc




-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list