[Snort-users] Writing custom rule for SSL 401 errors
security at ...5028...
Tue Aug 13 13:25:05 EDT 2002
it is encrypted and as a result will be different every time. The only
to catch the actual content would be to front end the system and have
snort see the clear traffic.
Hicks, John wrote:
>why not just sniff the traffic on a session you create?
>From: Eric Joe [mailto:sysop at ...6291...]
>Sent: Tuesday, August 13, 2002 2:24 PM
>To: snort-users at lists.sourceforge.net
>Subject: [Snort-users] Writing custom rule for SSL 401 errors
>I am trying to write a snort rule that sends an alert when someone gets a
>401 "Authorization Required" error while using SSL. I have the non-SSL
>rule working as such
>alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
>RESPONSES Http Failed Authorization"; content: "HTTP/1.\
>1 401 "; flags:A+; classtype:bad-unknown; sid:1000001; rev:1;)
>It works fine, but with SSL encryption I am having trouble with the
>"content" parameter. I guess if I knew what HTTP/1.1 401 looked like when
>its encrypted, it would be a piece of cake.
>Anyone have any insight on this? Thanks in advance.
More information about the Snort-users