[Snort-users] Detecting TCP session without data after three-wayhandshake

Giles Coochey giles at ...9346...
Fri Nov 4 05:39:00 EDT 2011


On Fri, November 4, 2011 03:56, Jason Haar wrote:
>
> 1. our DNS was hacked/dumped - nope
> 2. our workstations/browser histories were dumped - nope
> 3. the bots are scraping initial HTTPS SSL exchanges and capturing FQDNs
> - that's what I'm guessing
4. Your CA was hacked (it's happened before).






More information about the Snort-users mailing list