[Snort-users] SSL CodeRed et al

East, Bill eastb at ...3694...
Tue May 28 09:17:04 EDT 2002

> -----Original Message-----
> From: bthaler at ...2720... [mailto:bthaler at ...2720...]
> Sent: Tuesday, May 28, 2002 11:45 AM
> To: Sean T. Ballard; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] SSL CodeRed et al
> I know I wouldn't be able to see the encrypted traffic, but 
> that's only an
> issue if the worm is actually making a SSL connection, which 
> I seriously
> doubt.
> If, on the other hand, the worm was just blindly sending the 
> exploit data to
> port 443, Snort would be able to pick it up.
> Either way, I think they're full of crap too.  They're 
> product isn't based
> on IIS, so these worms shouldn't be an issue.

Encrypted or no, if either worm was hitting the server, you would see the
attack strings in IIS's logfiles. I would not rule out someone rewriting the
worms to use SSL, but on the other hand I have not seen that traffic (yet).

be - MOS

I've already told you more than I know.

More information about the Snort-users mailing list