SSL Initiation Rule

[Steven Tonge <steven.j.tonge () gmail com>]

Hi,

I’ve been trying to write a rule to alert on SSL connection initiations on
all ports:

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:”SSL connection
initiated.”; content:”|16|”; depth:1; content:”|01|”: depth:1; offset:5;
sid:1000000001;)

which should match the content:

16 03 00 00 54 01 00 00 50 03 00 55 53 32 FA FE  ....T...P..US2..
--             --

For SSLv3 and TLSv1 connections. I tried to test it with a simple get HTTPS
get request and after failing to match, I wrote a more general rule:

alert tcp any any <> any any (msg:”General SSL Alert.”; sid:1000000002;)

Testing this with a pcap of a HTTPS transaction, I find it matching on most
of the packets but not on the client side initiation ones, Client Hello,
Client Key Exchange, etc.

Any ideas as to what’s missing?

Thanks

Steve

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!