Snort mailing list archives

Re: Detecting TCP session without data after three-wayhandshake

From: Martin Holste <mcholste () gmail com>
Date: Fri, 4 Nov 2011 07:51:23 -0500

3. the bots are scraping initial HTTPS SSL exchanges and capturing FQDNs
- that's what I'm guessing


Whether or not that's definitely what happened in your case, it
certainly could've been.  I wonder how many people have sensitive
intranet hostnames sitting in their certs for the world to see?

I learnt one thing: if you make a legitimate SSL transaction against an
HTTPS server (to scrape the public cert) - APACHE WON'T LOG ANYTHING -


You can probably tweak that in the config, but since most go with the
default, it's very worth noting.  Thanks for pointing this out.

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Detecting TCP session without data after three-way handshake Willst Mail (Nov 02)
- Re: Detecting TCP session without data after three-way handshake Edward Fjellskål (Nov 03)
- Re: Detecting TCP session without data after three-wayhandshake Jason Haar (Nov 03)
  - Re: Detecting TCP session without data after three-wayhandshake Giles Coochey (Nov 04)
  - Re: Detecting TCP session without data after three-wayhandshake Martin Holste (Nov 04)
  - Re: Detecting TCP session without data after three-wayhandshake Seth Hall (Nov 04)