[Snort-users] Writing custom rule for SSL 401 errors

Dan Mahoney, System Admin danm at ...6608...
Tue Aug 13 16:56:02 EDT 2002


On Tue, 13 Aug 2002, Jason wrote:

> it is encrypted and as a result will be different every time. The only
> to catch the actual content would be to front end the system and have
> snort see the clear traffic.

Well, hrmm, here's a thought, but it's ugly.  Have apache log to "tee",
and pipe that over a symmetrically encrypted tunnel with netcat to
anywhere on the lan and monitor that.  (or for that matter, an
asymmetrically encrypted tunnel to your sniffer)

I said it was ugly.

But it's the first thing I can come up with off the top of my head.

-Dan

>
> Jason
>
> Hicks, John wrote:
>
> >why not just sniff the traffic on a session you create?
> >
> >-----Original Message-----
> >From: Eric Joe [mailto:sysop at ...6291...]
> >Sent: Tuesday, August 13, 2002 2:24 PM
> >To: snort-users at lists.sourceforge.net
> >Subject: [Snort-users] Writing custom rule for SSL 401 errors
> >
> >
> >Hello,
> >I am trying to write a snort rule that sends an alert when someone gets a
> >401 "Authorization Required" error while using SSL. I have the non-SSL
> >rule working as such
> >alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
> >RESPONSES Http Failed Authorization"; content: "HTTP/1.\
> >1 401 "; flags:A+; classtype:bad-unknown; sid:1000001; rev:1;)
> >
> >It works fine, but with SSL encryption I am having trouble with the
> >"content" parameter. I guess if I knew what HTTP/1.1 401  looked like when
> >its encrypted, it would be a piece of cake.
> >Anyone have any insight on this?  Thanks in advance.
> >
> >
> >
> >
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by: Dice - The leading online job board
> for high-tech professionals. Search and apply for tech jobs today!
> http://seeker.dice.com/seeker.epl?rel_code=31
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

--

"I wish the Real World would just stop hassling me!"

-Matchbox 20, Real World, off the album "Yourself or Someone Like You"


--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Web: http://prime.gushi.org
finger danm at ...6608...
for pgp public key and tel#
---------------------------






More information about the Snort-users mailing list