[Snort-users] SSL CodeRed et al

Frank Knobbe fknobbe at ...652...
Tue May 28 11:39:04 EDT 2002


I doubt that it's CodeRed running over SSL. More like is that script
kiddies are running their exploit tools (for Unicode, MDAC, etc) over an
SSL session to evade capture by IDS.

As pointed out already, check your logs.

Oh, you said: "The developer is claiming that the problem is CodeRed or
Nimda attacking on the SSL port." Well? Do the developer mean that they
have not secured the box against it? And if they did, CodeRed would not
cause any harm. Sounds like they are just full of it.

Regards,
Frank



On Tue, 2002-05-28 at 11:16, East, Bill wrote:
> > 
> > I know I wouldn't be able to see the encrypted traffic, but 
> > that's only an
> > issue if the worm is actually making a SSL connection, which 
> > I seriously
> > doubt.
> > 
> > If, on the other hand, the worm was just blindly sending the 
> > exploit data to
> > port 443, Snort would be able to pick it up.
> > 
> > Either way, I think they're full of crap too.  They're 
> > product isn't based
> > on IIS, so these worms shouldn't be an issue.
> > 
> 
> Encrypted or no, if either worm was hitting the server, you would see the
> attack strings in IIS's logfiles. I would not rule out someone rewriting the
> worms to use SSL, but on the other hand I have not seen that traffic (yet).


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 350 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20020528/376e0efe/attachment.sig>


More information about the Snort-users mailing list