RE: SSL CodeRed et al

["East, Bill" <eastb () PFFCU org>]

> -----Original Message-----
> From: bthaler () webstream net [mailto:bthaler () webstream net]
> Sent: Tuesday, May 28, 2002 11:45 AM
> To: Sean T. Ballard; snort-users () lists sourceforge net
> Subject: RE: [Snort-users] SSL CodeRed et al
>
>
> I know I wouldn't be able to see the encrypted traffic, but 
> that's only an
> issue if the worm is actually making a SSL connection, which 
> I seriously
> doubt.
>
> If, on the other hand, the worm was just blindly sending the 
> exploit data to
> port 443, Snort would be able to pick it up.
>
> Either way, I think they're full of crap too.  They're 
> product isn't based
> on IIS, so these worms shouldn't be an issue.

Encrypted or no, if either worm was hitting the server, you would see the
attack strings in IIS's logfiles. I would not rule out someone rewriting the
worms to use SSL, but on the other hand I have not seen that traffic (yet).

-- 
be - MOS



I've already told you more than I know.

_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users