[Snort-users] Detecting TCP session without data after three-wayhandshake

Martin Holste mcholste at ...11827...
Fri Nov 4 08:51:23 EDT 2011

> 3. the bots are scraping initial HTTPS SSL exchanges and capturing FQDNs
> - that's what I'm guessing

Whether or not that's definitely what happened in your case, it
certainly could've been.  I wonder how many people have sensitive
intranet hostnames sitting in their certs for the world to see?

> I learnt one thing: if you make a legitimate SSL transaction against an
> HTTPS server (to scrape the public cert) - APACHE WON'T LOG ANYTHING -

You can probably tweak that in the config, but since most go with the
default, it's very worth noting.  Thanks for pointing this out.

More information about the Snort-users mailing list