[Snort-users] Writing custom rule for SSL 401 errors

Jason security at ...5028...
Tue Aug 13 13:25:05 EDT 2002


it is encrypted and as a result will be different every time. The only 
to catch the actual content would be to front end the system and have 
snort see the clear traffic.

Jason

Hicks, John wrote:

>why not just sniff the traffic on a session you create?
>
>-----Original Message-----
>From: Eric Joe [mailto:sysop at ...6291...]
>Sent: Tuesday, August 13, 2002 2:24 PM
>To: snort-users at lists.sourceforge.net
>Subject: [Snort-users] Writing custom rule for SSL 401 errors
>
>
>Hello,
>I am trying to write a snort rule that sends an alert when someone gets a
>401 "Authorization Required" error while using SSL. I have the non-SSL
>rule working as such
>alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
>RESPONSES Http Failed Authorization"; content: "HTTP/1.\
>1 401 "; flags:A+; classtype:bad-unknown; sid:1000001; rev:1;)
>
>It works fine, but with SSL encryption I am having trouble with the
>"content" parameter. I guess if I knew what HTTP/1.1 401  looked like when
>its encrypted, it would be a piece of cake.
>Anyone have any insight on this?  Thanks in advance.
>
>
>  
>





More information about the Snort-users mailing list