[Snort-users] SSL CodeRed et al

Phil Wood cpw at ...440...
Tue May 28 09:10:04 EDT 2002

If I got a report like that, I'd slap up a snort with the web rules set
for port 443 instead of port 80 as well as buffer overflow checks (again, just
for port 443 and the internal web server address), and see what, if anything
was going on.

Co-ordinate your clocks and see if there is any correlation between traffic
seen and their service dying.  (what does their web server log show?)

This is not a question for consensus.  You need data so you can, with some
assurance, say "yea" or "nea" to the assertion.  You might be able to
correlate certain packet traffic with the times that their web server goes

Take it as a challenge.

On Tue, May 28, 2002 at 11:19:45AM -0400, bthaler at ...2720... wrote:
> Sorry for the dumb question, and I think I already know the answer, but:
> Has anyone heard of a CodeRed or Nimda variant attacking on port 443 (SSL)?
> The reason I'm asking, is that we have a web-based interface to an
> application that runs its own internal web server (not IIS), and the service
> keeps dying.  The developer is claiming that the problem is CodeRed or Nimda
> attacking on the SSL port.
> We're about to tell them that they're fll of $hlt, but I wante dto run it by
> you guys first...
> Regards,
> Brad T.
> _______________________________________________________________
> Don't miss the 2002 Sprint PCS Application Developer's Conference
> August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Phil Wood, cpw at ...440...

More information about the Snort-users mailing list