Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Code Red and port 443 (was RE: Code Red HELP!!!!)

From: Thierry Coopman <calvin () skynet be>
Date: Wed, 8 Aug 2001 09:28:34 +0200
At 14:19 -0500 07-08-2001, George D. Nincehelser wrote:

On a related note, does the worm every try secure web servers (e.g. on port
443)?
It would mean that the worm is intelligent enough to perform an SSL handshake. Nothing fancy really, since all the libraries to do so are available on an NT system but it seems that it's does not support it :)) 



If something did try to spread on an encrypted service, would Snort have any
chance of picking it up?  I would think not, but you never know...
Nope, snort would see didly squad. There is just a steam of encrypted data from to client to the server, whatever is in the steam is unreadable (that's the purpose of SSL, so it's Good). Apart from funcky TCP packets that do not belong there, the only way you could see something is in web server logs, if it's logged in the first place.
The only way to avoid this is to have a reverse SSL proxy sending the requests, but the source of the *evil* requests will always be originating from the proxy, so you need to match them up with the proxy logs. The proxy can be used to filter unwanted traffic out of the requests too (like de XXXXXXXXX string to buffer overflow the server... 


George

----- Original Message -----
From: "Carolyn Beckman" <beckman () clone concordia ca>
To: "s I n" <sin () Aniela EU ORG>
Cc: "Nigel Morse" <N.Morse () hyperknowledge com>; "Advanced Hosting UNIX Admin
Daniel Fairchild" <danielf () supportteam net>;
<snort-users () lists sourceforge net>; <netfilter () lists samba org>;
<bridge () math leidenuniv nl>
Sent: Tuesday, August 07, 2001 1:48 PM
Subject: [Snort-users] RE: Cod Red HELP!!!!


 > On Tue, 7 Aug 2001, s I n wrote:
 >
 > > Date: Tue, 7 Aug 2001 21:02:06 +0300 (EEST)
 > > From: s I n <sin () Aniela EU ORG>
 > > To: Nigel Morse <N.Morse () hyperknowledge com>
 > > Cc: Advanced Hosting UNIX Admin Daniel Fairchild
<danielf () supportteam net>,
 > >      snort-users () lists sourceforge net, netfilter () lists samba org,
 > >      bridge () math leidenuniv nl
 > > Subject: RE: Cod Red HELP!!!!
 > >
 > >
 > >
 > >
 >
 > It seems to me that one method of getting rid of code red
 > is to reconfigure the server so that it does not use port
 > 80.  This may or may not be practical with a big machine.
 > It is only an thought based on the logs of my server on
 > port 8080. There are no code red entries.
 >


--
--
Thierry Coopman - THieRRy () sKyNet be -

I realise computers suck. The only reason why they are a hobby
of mine is because I enjoy pain!

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: