[Snort-users] Writing custom rule for SSL 401 errors

McCammon, Keith Keith.McCammon at ...3497...
Tue Aug 13 12:55:02 EDT 2002


Because the payload will only be unique to that particular session.  The next time a session is established, the client will generate a new session key, and the payload will look different.

> -----Original Message-----
> From: Hicks, John [mailto:JHicks at ...5857...]
> Sent: Tuesday, August 13, 2002 3:44 PM
> To: 'Eric Joe'; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] Writing custom rule for SSL 401 errors
> 
> 
> why not just sniff the traffic on a session you create?
> 
> -----Original Message-----
> From: Eric Joe [mailto:sysop at ...6291...]
> Sent: Tuesday, August 13, 2002 2:24 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Writing custom rule for SSL 401 errors
> 
> 
> Hello,
> I am trying to write a snort rule that sends an alert when 
> someone gets a
> 401 "Authorization Required" error while using SSL. I have the non-SSL
> rule working as such
> alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
> RESPONSES Http Failed Authorization"; content: "HTTP/1.\
> 1 401 "; flags:A+; classtype:bad-unknown; sid:1000001; rev:1;)
> 
> It works fine, but with SSL encryption I am having trouble with the
> "content" parameter. I guess if I knew what HTTP/1.1 401  
> looked like when
> its encrypted, it would be a piece of cake.
> Anyone have any insight on this?  Thanks in advance.
> 
> 
> -- 
> Eric Joe
> Network Operations
> Journey's End Internet/Computer Connection Inc
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: Dice - The leading online job board
> for high-tech professionals. Search and apply for tech jobs today!
> http://seeker.dice.com/seeker.epl?rel_code=31
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: Dice - The leading online job board
> for high-tech professionals. Search and apply for tech jobs today!
> http://seeker.dice.com/seeker.epl?rel_code=31
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 




More information about the Snort-users mailing list