Snort mailing list archives
SSL Initiation Rule
From: Steven Tonge <steven.j.tonge () gmail com>
Date: Wed, 13 May 2015 16:39:45 +0100
Hi, I’ve been trying to write a rule to alert on SSL connection initiations on all ports: alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”SSL connection initiated.”; content:”|16|”; depth:1; content:”|01|”: depth:1; offset:5; sid:1000000001;) which should match the content: 16 03 00 00 54 01 00 00 50 03 00 55 53 32 FA FE ....T...P..US2.. -- -- For SSLv3 and TLSv1 connections. I tried to test it with a simple get HTTPS get request and after failing to match, I wrote a more general rule: alert tcp any any <> any any (msg:”General SSL Alert.”; sid:1000000002;) Testing this with a pcap of a HTTPS transaction, I find it matching on most of the packets but not on the client side initiation ones, Client Hello, Client Key Exchange, etc. Any ideas as to what’s missing? Thanks Steve
------------------------------------------------------------------------------ One dashboard for servers and applications across Physical-Virtual-Cloud Widest out-of-the-box monitoring support with 50+ applications Performance metrics, stats and reports that give you Actionable Insights Deep dive visibility with transaction tracing using APM Insight. http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- SSL Initiation Rule Steven Tonge (May 13)
- Re: SSL Initiation Rule Y M (May 15)