[Snort-users] Writing custom rule for SSL 401 errors

David Yip dy at ...6387...
Wed Aug 14 15:10:02 EDT 2002


Have a look at this one.

http://sourceforge.net/projects/httpssniffer/

Jason Brvenik wrote:
> A clarification, I should have said it is encrypted using SSL and _should_ be
> different for every session if properly implemented. I did not intend to imply
> that all encryption was dynamic.
> 
> That being said, I have solved this problem in the past with reverse proxies or
> accelerators. Unfortunately, I just got done checking the docs for my favorite
> open source proxy and see that it does not support SSL in a reverse proxy mode.
> 
> There are other options though.
> 1) An accellerator. Not cheap.
> 2) Commercial proxies. Not Cheap
> 3) An open source proxy that does support it. ( If you find one please forward
> the info to me)
> 4) maybe mod_proxy with apache?
> 6) stunnel
> 
> I know you can do it with stunnel so try it this way for a low budget option
> get stunnel at http://www.stunnel.org
> read the docs
> 
> set it up for realip:443 connecting to localhost:80 and have snort listen on the
> loopback. or use a closed net between an stunnel host and the web server.
> 
> HTH
> Jason.
> 
> 
> 
> "Dan Mahoney, System Admin" wrote:
> 
> 
>>On Tue, 13 Aug 2002, Jason wrote:
>>
>>
>>>it is encrypted and as a result will be different every time. The only
>>>to catch the actual content would be to front end the system and have
>>>snort see the clear traffic.
>>
>>Well, hrmm, here's a thought, but it's ugly.  Have apache log to "tee",
>>and pipe that over a symmetrically encrypted tunnel with netcat to
>>anywhere on the lan and monitor that.  (or for that matter, an
>>asymmetrically encrypted tunnel to your sniffer)
>>
>>I said it was ugly.
>>
>>But it's the first thing I can come up with off the top of my head.
>>
>>-Dan
>>
>>
>>>Jason
>>>
>>>Hicks, John wrote:
>>>
>>>
>>>>why not just sniff the traffic on a session you create?
>>>>
>>>>-----Original Message-----
>>>>From: Eric Joe [mailto:sysop at ...6291...]
>>>>Sent: Tuesday, August 13, 2002 2:24 PM
>>>>To: snort-users at lists.sourceforge.net
>>>>Subject: [Snort-users] Writing custom rule for SSL 401 errors
>>>>
>>>>
>>>>Hello,
>>>>I am trying to write a snort rule that sends an alert when someone gets a
>>>>401 "Authorization Required" error while using SSL. I have the non-SSL
>>>>rule working as such
>>>>alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
>>>>RESPONSES Http Failed Authorization"; content: "HTTP/1.\
>>>>1 401 "; flags:A+; classtype:bad-unknown; sid:1000001; rev:1;)
>>>>
>>>>It works fine, but with SSL encryption I am having trouble with the
>>>>"content" parameter. I guess if I knew what HTTP/1.1 401  looked like when
>>>>its encrypted, it would be a piece of cake.
>>>>Anyone have any insight on this?  Thanks in advance.
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>-------------------------------------------------------
>>>This sf.net email is sponsored by: Dice - The leading online job board
>>>for high-tech professionals. Search and apply for tech jobs today!
>>>http://seeker.dice.com/seeker.epl?rel_code=31
>>>_______________________________________________
>>>Snort-users mailing list
>>>Snort-users at lists.sourceforge.net
>>>Go to this URL to change user options or unsubscribe:
>>>https://lists.sourceforge.net/lists/listinfo/snort-users
>>>Snort-users list archive:
>>>http://www.geocrawler.com/redir-sf.php3?list=snort-users
>>>
>>
>>--
>>
>>"I wish the Real World would just stop hassling me!"
>>
>>-Matchbox 20, Real World, off the album "Yourself or Someone Like You"
>>
>>--------Dan Mahoney--------
>>Techie,  Sysadmin,  WebGeek
>>Gushi on efnet/undernet IRC
>>ICQ: 13735144   AIM: LarpGM
>>Web: http://prime.gushi.org
>>finger danm at ...6608...
>>for pgp public key and tel#
>>---------------------------
> 
> 
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by: Dice - The leading online job board
> for high-tech professionals. Search and apply for tech jobs today!
> http://seeker.dice.com/seeker.epl?rel_code=31
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users






More information about the Snort-users mailing list