Snort mailing list archives
Re: Writing custom rule for SSL 401 errors
From: Jason <security () brvenik com>
Date: Tue, 13 Aug 2002 16:24:27 -0400
it is encrypted and as a result will be different every time. The only to catch the actual content would be to front end the system and have snort see the clear traffic.
Jason Hicks, John wrote:
why not just sniff the traffic on a session you create? -----Original Message----- From: Eric Joe [mailto:sysop () tje1 com] Sent: Tuesday, August 13, 2002 2:24 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Writing custom rule for SSL 401 errors Hello, I am trying to write a snort rule that sends an alert when someone gets a 401 "Authorization Required" error while using SSL. I have the non-SSL rule working as such alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES Http Failed Authorization"; content: "HTTP/1.\ 1 401 "; flags:A+; classtype:bad-unknown; sid:1000001; rev:1;) It works fine, but with SSL encryption I am having trouble with the "content" parameter. I guess if I knew what HTTP/1.1 401 looked like when its encrypted, it would be a piece of cake. Anyone have any insight on this? Thanks in advance.
------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Writing custom rule for SSL 401 errors Eric Joe (Aug 13)
- Re: Writing custom rule for SSL 401 errors Matt Kettler (Aug 13)
- Re: Writing custom rule for SSL 401 errors Stefan Dens (Aug 17)
- <Possible follow-ups>
- RE: Writing custom rule for SSL 401 errors McCammon, Keith (Aug 13)
- RE: Writing custom rule for SSL 401 errors Hicks, John (Aug 13)
- Re: Writing custom rule for SSL 401 errors Jason (Aug 13)
- Re: Writing custom rule for SSL 401 errors Dan Mahoney, System Admin (Aug 13)
- Re: Writing custom rule for SSL 401 errors Jason Brvenik (Aug 13)
- Re: Writing custom rule for SSL 401 errors David Yip (Aug 14)
- Re: Writing custom rule for SSL 401 errors Jason (Aug 13)