Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Code Red and port 443 (was RE: Code Red HELP!!!!)

From: Mike Johnson <mike () enoch org>
Date: Wed, 8 Aug 2001 09:52:08 -0400
Thierry Coopman [calvin () skynet be] wrote:
 

The only way to avoid this is to have a reverse SSL proxy sending the 
requests, but the source of the *evil* requests will always be 
originating from the proxy, so you need to match them up with the 
proxy logs. The proxy can be used to filter unwanted traffic out of 
the requests too (like de XXXXXXXXX string to buffer overflow the 
server...


If you were really this concerned about your SSL traffic, you've
got a couple options.  You can buy on of Intel's (someone else may
make them, as weel) SSL accelerators that sit in front of your
server.  It acts as the SSL endpoint and spits plain text out
the back end to your web servers.  So, the traffic is protected
across the big nasty Internet, but it's clear text to your
web servers.  You would then put snort on the part of the network
where the traffic is in clear text.  Your other option is to
try something similar with stunnel.

Mike
-- 
Never trust a man who puts anything other than a finger up his nose. - _Snatch_

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: