[Snort-users] Writing custom rule for SSL 401 errors

Jason Brvenik security at ...5028...
Tue Aug 13 17:42:03 EDT 2002


A clarification, I should have said it is encrypted using SSL and _should_ be
different for every session if properly implemented. I did not intend to imply
that all encryption was dynamic.

That being said, I have solved this problem in the past with reverse proxies or
accelerators. Unfortunately, I just got done checking the docs for my favorite
open source proxy and see that it does not support SSL in a reverse proxy mode.

There are other options though.
1) An accellerator. Not cheap.
2) Commercial proxies. Not Cheap
3) An open source proxy that does support it. ( If you find one please forward
the info to me)
4) maybe mod_proxy with apache?
6) stunnel

I know you can do it with stunnel so try it this way for a low budget option
get stunnel at http://www.stunnel.org
read the docs

set it up for realip:443 connecting to localhost:80 and have snort listen on the
loopback. or use a closed net between an stunnel host and the web server.

HTH
Jason.



"Dan Mahoney, System Admin" wrote:

> On Tue, 13 Aug 2002, Jason wrote:
>
> > it is encrypted and as a result will be different every time. The only
> > to catch the actual content would be to front end the system and have
> > snort see the clear traffic.
>
> Well, hrmm, here's a thought, but it's ugly.  Have apache log to "tee",
> and pipe that over a symmetrically encrypted tunnel with netcat to
> anywhere on the lan and monitor that.  (or for that matter, an
> asymmetrically encrypted tunnel to your sniffer)
>
> I said it was ugly.
>
> But it's the first thing I can come up with off the top of my head.
>
> -Dan
>
> >
> > Jason
> >
> > Hicks, John wrote:
> >
> > >why not just sniff the traffic on a session you create?
> > >
> > >-----Original Message-----
> > >From: Eric Joe [mailto:sysop at ...6291...]
> > >Sent: Tuesday, August 13, 2002 2:24 PM
> > >To: snort-users at lists.sourceforge.net
> > >Subject: [Snort-users] Writing custom rule for SSL 401 errors
> > >
> > >
> > >Hello,
> > >I am trying to write a snort rule that sends an alert when someone gets a
> > >401 "Authorization Required" error while using SSL. I have the non-SSL
> > >rule working as such
> > >alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
> > >RESPONSES Http Failed Authorization"; content: "HTTP/1.\
> > >1 401 "; flags:A+; classtype:bad-unknown; sid:1000001; rev:1;)
> > >
> > >It works fine, but with SSL encryption I am having trouble with the
> > >"content" parameter. I guess if I knew what HTTP/1.1 401  looked like when
> > >its encrypted, it would be a piece of cake.
> > >Anyone have any insight on this?  Thanks in advance.
> > >
> > >
> > >
> > >
> >
> >
> >
> > -------------------------------------------------------
> > This sf.net email is sponsored by: Dice - The leading online job board
> > for high-tech professionals. Search and apply for tech jobs today!
> > http://seeker.dice.com/seeker.epl?rel_code=31
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
> --
>
> "I wish the Real World would just stop hassling me!"
>
> -Matchbox 20, Real World, off the album "Yourself or Someone Like You"
>
> --------Dan Mahoney--------
> Techie,  Sysadmin,  WebGeek
> Gushi on efnet/undernet IRC
> ICQ: 13735144   AIM: LarpGM
> Web: http://prime.gushi.org
> finger danm at ...6608...
> for pgp public key and tel#
> ---------------------------





More information about the Snort-users mailing list