Snort mailing list archives
Re: Detecting TCP session without data after three-wayhandshake
From: Jason Haar <Jason_Haar () trimble com>
Date: Fri, 04 Nov 2011 15:56:32 +1300
Funny you bring this up. We just brought up a new bunch of HTTPS servers on new Internet addresses this week. The 4 VirtualHosts had a single IP address and a shared cert with multiple hostnames associated with it (ie Subject Alternative Name). Fairly quickly after they became available on the Internet, I noticed the usual suspects roaming around looking for things to hack - as they do. Anyway, two days later I was tail-ing the logs for some unrelated reason when I saw a bot come to the https page USING A HOSTNAME ONLY PUT INTO DNS TWO DAYS EARLIER. Only myself and one other person knew about that hostname, so either: 1. our DNS was hacked/dumped - nope 2. our workstations/browser histories were dumped - nope 3. the bots are scraping initial HTTPS SSL exchanges and capturing FQDNs - that's what I'm guessing The IP address the transactions came from was never seen before - it downloaded the homepage and disappeared. Those guys are building an Asset tracking database better than we've got ;-) I learnt one thing: if you make a legitimate SSL transaction against an HTTPS server (to scrape the public cert) - APACHE WON'T LOG ANYTHING - including errors. That's what I think happened. They made a SSL request, got the cert (which generates no logs) then connected back to the hostnames mentioned in the cert - ensuring they don't get whacked by WAFs/etc. So your query about TCP "SYN/ACK-then-exit" should be augmented with "SSL-exchange-then-exit" - as both are suspicious :-) Jason -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +1 408 481 8171 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Detecting TCP session without data after three-way handshake Willst Mail (Nov 02)
- Re: Detecting TCP session without data after three-way handshake Edward Fjellskål (Nov 03)
- Re: Detecting TCP session without data after three-wayhandshake Jason Haar (Nov 03)
- Re: Detecting TCP session without data after three-wayhandshake Giles Coochey (Nov 04)
- Re: Detecting TCP session without data after three-wayhandshake Martin Holste (Nov 04)
- Re: Detecting TCP session without data after three-wayhandshake Seth Hall (Nov 04)