[Snort-users] SSL CodeRed et al
eastb at ...3694...
Tue May 28 09:17:04 EDT 2002
> -----Original Message-----
> From: bthaler at ...2720... [mailto:bthaler at ...2720...]
> Sent: Tuesday, May 28, 2002 11:45 AM
> To: Sean T. Ballard; snort-users at lists.sourceforge.net
> Subject: RE: [Snort-users] SSL CodeRed et al
> I know I wouldn't be able to see the encrypted traffic, but
> that's only an
> issue if the worm is actually making a SSL connection, which
> I seriously
> If, on the other hand, the worm was just blindly sending the
> exploit data to
> port 443, Snort would be able to pick it up.
> Either way, I think they're full of crap too. They're
> product isn't based
> on IIS, so these worms shouldn't be an issue.
Encrypted or no, if either worm was hitting the server, you would see the
attack strings in IIS's logfiles. I would not rule out someone rewriting the
worms to use SSL, but on the other hand I have not seen that traffic (yet).
be - MOS
I've already told you more than I know.
More information about the Snort-users