[Snort-users] Detecting TCP session without data after three-wayhandshake

Jason Haar Jason_Haar at ...15306...
Thu Nov 3 22:56:32 EDT 2011


Funny you bring this up. We just brought up a new bunch of HTTPS servers
on new Internet addresses this week. The 4 VirtualHosts had a single IP
address and a shared cert with multiple hostnames associated with it (ie
Subject Alternative Name). Fairly quickly after they  became available
on the Internet, I noticed the usual suspects roaming around looking for
things to hack - as they do.

Anyway, two days later I was tail-ing the logs for some unrelated reason
when I saw a bot come to the https page USING A HOSTNAME ONLY PUT INTO
DNS TWO DAYS EARLIER. Only myself and one other person knew about that
hostname, so either:

1. our DNS was hacked/dumped - nope
2. our workstations/browser histories were dumped - nope
3. the bots are scraping initial HTTPS SSL exchanges and capturing FQDNs
- that's what I'm guessing

The IP address the transactions came from was never seen before - it
downloaded the homepage and disappeared. Those guys are building an
Asset tracking database better than we've got ;-)

I learnt one thing: if you make a legitimate SSL transaction against an
HTTPS server (to scrape the public cert) - APACHE WON'T LOG ANYTHING -
including errors. That's what I think happened. They made a SSL request,
got the cert (which generates no logs) then connected back to the
hostnames mentioned in the cert - ensuring they don't get whacked by
WAFs/etc.

So your query about TCP "SYN/ACK-then-exit" should be augmented with
"SSL-exchange-then-exit" - as both are suspicious :-)

Jason

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +1 408 481 8171
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1





More information about the Snort-users mailing list