Re: Writing custom rule for SSL 401 errors

[Jason <security () brvenik com>]

it is encrypted and as a result will be different every time. The only 
to catch the actual content would be to front end the system and have 
snort see the clear traffic.

Jason

Hicks, John wrote:

> why not just sniff the traffic on a session you create?
>
> -----Original Message-----
> From: Eric Joe [mailto:sysop () tje1 com]
> Sent: Tuesday, August 13, 2002 2:24 PM
> To: snort-users () lists sourceforge net
> Subject: [Snort-users] Writing custom rule for SSL 401 errors
>
>
> Hello,
> I am trying to write a snort rule that sends an alert when someone gets a
> 401 "Authorization Required" error while using SSL. I have the non-SSL
> rule working as such
> alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
> RESPONSES Http Failed Authorization"; content: "HTTP/1.\
> 1 401 "; flags:A+; classtype:bad-unknown; sid:1000001; rev:1;)
>
> It works fine, but with SSL encryption I am having trouble with the
> "content" parameter. I guess if I knew what HTTP/1.1 401  looked like when
> its encrypted, it would be a piece of cake.
> Anyone have any insight on this?  Thanks in advance.
>
>
>  



-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users