[Snort-users] Writing custom rule for SSL 401 errors
mkettler at ...4108...
Tue Aug 13 13:23:02 EDT 2002
With SSL what you suggest should theoretically be impossible, or at least
so computational infeasible that it's impossible in reasonable time. It's
purposefully designed to prevent exactly what you propose doing :).
If it were possible to identify the contents encrypted data, it wouldn't
exactly be encrypted very well, now would it? A simple known plaintext
attack, such as this, is considered to be a severe weakness in most
cryptosystems, since most protocols have lots of common headers and other
That's why ideally all keys are random, as are initialization vectors and
data padding. No two encryptions of the same data should look the same due
to the constantly changing keys, etc.
At 02:23 PM 8/13/2002 -0400, Eric Joe wrote:
>I am trying to write a snort rule that sends an alert when someone gets a
>401 "Authorization Required" error while using SSL. I have the non-SSL
>rule working as such
>alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
>RESPONSES Http Failed Authorization"; content: "HTTP/1.\
>1 401 "; flags:A+; classtype:bad-unknown; sid:1000001; rev:1;)
>It works fine, but with SSL encryption I am having trouble with the
>"content" parameter. I guess if I knew what HTTP/1.1 401 looked like when
>its encrypted, it would be a piece of cake.
>Anyone have any insight on this? Thanks in advance.
More information about the Snort-users