[Snort-users] SSL CodeRed et al

bthaler at ...2720... bthaler at ...2720...
Tue May 28 11:46:04 EDT 2002


To all who replied:

We weren't actually seeing any CodeRed or Nimda traffic over port 443, even
with snort rules in place to detect this.  We are certain that this isn't
happening, but the software developer seems to think that it is.

Even though this application is *not* running IIS, and is therefore immune
to CodeRed/Nimda, this is the excuse they're using.

I just wanted to check with you all, the Snort community, and make sure that
you all have not seen this type of traffic before.

After careful consideration, we have determined that this particular support
person (the guy who said that SSL CodeRed is making our server crash) is
full of crap.

Thanks for the replies.






Sincerely,

Brad T.
> -----Original Message-----
> From: Frank Knobbe [mailto:fknobbe at ...652...]
> Sent: Tuesday, May 28, 2002 2:38 PM
> To: East, Bill
> Cc: 'bthaler at ...2720...'; 'snort-users at lists.sourceforge.net'
> Subject: RE: [Snort-users] SSL CodeRed et al
>
>
> I doubt that it's CodeRed running over SSL. More like is that script
> kiddies are running their exploit tools (for Unicode, MDAC, etc) over an
> SSL session to evade capture by IDS.
>
> As pointed out already, check your logs.
>
> Oh, you said: "The developer is claiming that the problem is CodeRed or
> Nimda attacking on the SSL port." Well? Do the developer mean that they
> have not secured the box against it? And if they did, CodeRed would not
> cause any harm. Sounds like they are just full of it.
>
> Regards,
> Frank
>
>
>
> On Tue, 2002-05-28 at 11:16, East, Bill wrote:
> > >
> > > I know I wouldn't be able to see the encrypted traffic, but
> > > that's only an
> > > issue if the worm is actually making a SSL connection, which
> > > I seriously
> > > doubt.
> > >
> > > If, on the other hand, the worm was just blindly sending the
> > > exploit data to
> > > port 443, Snort would be able to pick it up.
> > >
> > > Either way, I think they're full of crap too.  They're
> > > product isn't based
> > > on IIS, so these worms shouldn't be an issue.
> > >
> >
> > Encrypted or no, if either worm was hitting the server, you
> would see the
> > attack strings in IIS's logfiles. I would not rule out someone
> rewriting the
> > worms to use SSL, but on the other hand I have not seen that
> traffic (yet).
>
>
>





More information about the Snort-users mailing list