[Snort-users] Detecting TCP session without data after three-wayhandshake

Seth Hall seth at ...14966...
Fri Nov 4 09:24:18 EDT 2011

On Nov 3, 2011, at 10:56 PM, Jason Haar wrote:

> I learnt one thing: if you make a legitimate SSL transaction against an
> HTTPS server (to scrape the public cert) - APACHE WON'T LOG ANYTHING -
> including errors. That's what I think happened. They made a SSL request,
> got the cert (which generates no logs) then connected back to the
> hostnames mentioned in the cert - ensuring they don't get whacked by
> WAFs/etc.

They didn't necessarily connect back.  The tool they're using could have just watched for the CN in the cert then used that for the Host header in the request.  The bigger question might be if they used that hostname in the "server_name" SSL extension since you have to know about the hostname ahead of time because it's sent in the client hello before the certificate exchange.


More information about the Snort-users mailing list