Snort mailing list archives
RE: SSL CodeRed et al
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 28 May 2002 13:38:04 -0500
I doubt that it's CodeRed running over SSL. More like is that script kiddies are running their exploit tools (for Unicode, MDAC, etc) over an SSL session to evade capture by IDS. As pointed out already, check your logs. Oh, you said: "The developer is claiming that the problem is CodeRed or Nimda attacking on the SSL port." Well? Do the developer mean that they have not secured the box against it? And if they did, CodeRed would not cause any harm. Sounds like they are just full of it. Regards, Frank On Tue, 2002-05-28 at 11:16, East, Bill wrote:
I know I wouldn't be able to see the encrypted traffic, but that's only an issue if the worm is actually making a SSL connection, which I seriously doubt. If, on the other hand, the worm was just blindly sending the exploit data to port 443, Snort would be able to pick it up. Either way, I think they're full of crap too. They're product isn't based on IIS, so these worms shouldn't be an issue.Encrypted or no, if either worm was hitting the server, you would see the attack strings in IIS's logfiles. I would not rule out someone rewriting the worms to use SSL, but on the other hand I have not seen that traffic (yet).
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- RE: SSL CodeRed et al Sean T. Ballard (May 28)
- RE: SSL CodeRed et al bthaler (May 28)
- <Possible follow-ups>
- SSL CodeRed et al bthaler (May 28)
- Re: SSL CodeRed et al Ryan Russell (May 28)
- Re: SSL CodeRed et al Phil Wood (May 28)
- RE: SSL CodeRed et al East, Bill (May 28)
- RE: SSL CodeRed et al Frank Knobbe (May 28)
- RE: SSL CodeRed et al bthaler (May 28)
- RE: SSL CodeRed et al Frank Knobbe (May 28)
- RE: SSL CodeRed et al Jim Grossl (May 28)
- RE: SSL CodeRed et al Wilcoxon, Steve (May 29)