Snort mailing list archives
Re: SSL Initiation Rule
From: Y M <snort () outlook com>
Date: Fri, 15 May 2015 09:39:27 +0000
Comments Below. Date: Wed, 13 May 2015 16:39:45 +0100 From: steven.j.tonge () gmail com To: snort-sigs () lists sourceforge net Subject: [Snort-sigs] SSL Initiation Rule
Hi, I’ve been trying to write a rule to alert on SSL connection initiations on all ports: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”SSL connection initiated.”; content:”|16|”; depth:1; content:”|01|”: depth:1; offset:5; sid:1000000001;) which should match the content: 16 03 00 00 54 01 00 00 50 03 00 55 53 32 FA FE ....T...P..US2.. -- --
Was Snort able to run with the above rules, or may just typos? looking at it the rule it seems that you are using a ":" instead of ";" after the second content match and before the following depth keyword.
For SSLv3 and TLSv1 connections. I tried to test it with a simple get HTTPS get request and after failing to match, I wrote a more general rule: alert tcp any any <> any any (msg:”General SSL Alert.”; sid:1000000002;) Testing this with a pcap of a HTTPS transaction, I find it matching on most of the packets but not on the client side initiation ones, Client Hello, Client Key Exchange, etc. Any ideas as to what’s missing?
I tested the rule above with a Client Hello and it seems to trigger fine. That said, you may also want to take a look the ssl rules keywords for rules: http://manual.snort.org/node17.html#SECTION003214300000000000000
Thanks Steve
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- SSL Initiation Rule Steven Tonge (May 13)
- Re: SSL Initiation Rule Y M (May 15)