[Snort-users] Writing custom rule for SSL 401 errors

Matt Kettler mkettler at ...4108...
Tue Aug 13 13:23:02 EDT 2002


With SSL what you suggest should theoretically be impossible, or at least 
so computational infeasible that it's impossible in reasonable time. It's 
purposefully designed to prevent exactly what you propose doing :).

If it were possible to identify the contents encrypted data, it wouldn't 
exactly be encrypted very well, now would it? A simple known plaintext 
attack, such as this, is considered to be a severe weakness in most 
cryptosystems, since most protocols have lots of common headers and other 
known plaintext.

That's why ideally all keys are random, as are initialization vectors and 
data padding. No two encryptions of the same data should look the same due 
to the constantly changing keys, etc.


At 02:23 PM 8/13/2002 -0400, Eric Joe wrote:
>Hello,
>I am trying to write a snort rule that sends an alert when someone gets a
>401 "Authorization Required" error while using SSL. I have the non-SSL
>rule working as such
>alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
>RESPONSES Http Failed Authorization"; content: "HTTP/1.\
>1 401 "; flags:A+; classtype:bad-unknown; sid:1000001; rev:1;)
>
>It works fine, but with SSL encryption I am having trouble with the
>"content" parameter. I guess if I knew what HTTP/1.1 401  looked like when
>its encrypted, it would be a piece of cake.
>Anyone have any insight on this?  Thanks in advance.





More information about the Snort-users mailing list