Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Signatures
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-sigs] rule for Non-SSL traffic on SSL port?

from [Lorine Ruotolo] Network Security [Permanent Link]
Subject: Re: [Snort-sigs] rule for Non-SSL traffic on SSL port?
Date: Tue, 20 Jun 2006 11:05:19 -0500
My solution to any situation like this would be to do a packet capture of a regular SSL conversation and then of a non-SSL connection over the SSL port doing the same thing.

Look at the packets in the two conversations and see if there is any true indicator to write a signature with to check for non-SLL over port 443.

There must be something in clear-text that would occur on the non-SSL that wouldn't occur over the true SSL connection.


From: "Hellman, Matthew" <Hellman.Matthew@principal.com>
To: <snort-sigs@lists.sourceforge.net>
Subject: [Snort-sigs] rule for Non-SSL traffic on SSL port?
Date: Fri, 16 Jun 2006 07:53:04 -0500

Moderator: 2nd try, this time as registered user.

What I'm trying to accomplish can't be done with the commercial IPS we
currently use. I don't know a lot about Snort, and thought I'd see if it
might be up to the task.

Basically, I'm looking for a solution to alert me when a session on TCP
port 443 is not actually SSL. I want at most a single alarm per TCP
session.  At a conceptual level, the solution would look for the SSL
handshake early in a TCP session and alert if it was not seen. Or
something like that anyway. Can this be done with Snort?

Thanks,
Matt


-----Message Disclaimer-----

This e-mail message is intended only for the use of the individual or
entity to which it is addressed, and may contain information that is
privileged, confidential and exempt from disclosure under applicable law.
If you are not the intended recipient, any dissemination, distribution or
copying of this communication is strictly prohibited. If you have
received this communication in error, please notify us immediately by
reply email to Connect@principal.com and delete or destroy all copies of
the original message and attachments thereto. Email sent to or from the
Principal Financial Group or any of its member companies may be retained
as required by law or regulation.

Nothing in this message is intended to constitute an Electronic signature
for purposes of the Uniform Electronic Transactions Act (UETA) or the
Electronic Signatures in Global and National Commerce Act ("E-Sign")
unless a specific statement to the contrary is included in this message.


_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs

_________________________________________________________________
Dont just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/


_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-sigs] Sid 1893 FP, Blake Hartstein
Next by Date:  [Snort-sigs] Snort Community Rules Update, Sourcefire VRT
Previous by Thread:  [Snort-sigs] rule for Non-SSL traffic on SSL port?, Hellman, Matthew
Next by Thread:  Re: [Snort-sigs] rule for Non-SSL traffic on SSL port?, Russell Fulton
Indexes:  [Date] [Thread] [Top] [All Lists]