[Snort-users] Detecting TCP session without data after three-wayhandshake
mcholste at ...11827...
Fri Nov 4 08:51:23 EDT 2011
> 3. the bots are scraping initial HTTPS SSL exchanges and capturing FQDNs
> - that's what I'm guessing
Whether or not that's definitely what happened in your case, it
certainly could've been. I wonder how many people have sensitive
intranet hostnames sitting in their certs for the world to see?
> I learnt one thing: if you make a legitimate SSL transaction against an
> HTTPS server (to scrape the public cert) - APACHE WON'T LOG ANYTHING -
You can probably tweak that in the config, but since most go with the
default, it's very worth noting. Thanks for pointing this out.
More information about the Snort-users