Snort mailing list archives
Re: Code Red and port 443 (was RE: Code Red HELP!!!!)
From: Thierry Coopman <calvin () skynet be>
Date: Wed, 8 Aug 2001 09:28:34 +0200
At 14:19 -0500 07-08-2001, George D. Nincehelser wrote:
On a related note, does the worm every try secure web servers (e.g. on port 443)?
It would mean that the worm is intelligent enough to perform an SSL handshake. Nothing fancy really, since all the libraries to do so are available on an NT system but it seems that it's does not support it :))
If something did try to spread on an encrypted service, would Snort have any chance of picking it up? I would think not, but you never know...
Nope, snort would see didly squad. There is just a steam of encrypted data from to client to the server, whatever is in the steam is unreadable (that's the purpose of SSL, so it's Good). Apart from funcky TCP packets that do not belong there, the only way you could see something is in web server logs, if it's logged in the first place.
The only way to avoid this is to have a reverse SSL proxy sending the requests, but the source of the *evil* requests will always be originating from the proxy, so you need to match them up with the proxy logs. The proxy can be used to filter unwanted traffic out of the requests too (like de XXXXXXXXX string to buffer overflow the server...
George ----- Original Message ----- From: "Carolyn Beckman" <beckman () clone concordia ca> To: "s I n" <sin () Aniela EU ORG> Cc: "Nigel Morse" <N.Morse () hyperknowledge com>; "Advanced Hosting UNIX Admin Daniel Fairchild" <danielf () supportteam net>; <snort-users () lists sourceforge net>; <netfilter () lists samba org>; <bridge () math leidenuniv nl> Sent: Tuesday, August 07, 2001 1:48 PM Subject: [Snort-users] RE: Cod Red HELP!!!! > On Tue, 7 Aug 2001, s I n wrote: > > > Date: Tue, 7 Aug 2001 21:02:06 +0300 (EEST) > > From: s I n <sin () Aniela EU ORG> > > To: Nigel Morse <N.Morse () hyperknowledge com> > > Cc: Advanced Hosting UNIX Admin Daniel Fairchild <danielf () supportteam net>, > > snort-users () lists sourceforge net, netfilter () lists samba org, > > bridge () math leidenuniv nl > > Subject: RE: Cod Red HELP!!!! > > > > > > > > > > It seems to me that one method of getting rid of code red > is to reconfigure the server so that it does not use port > 80. This may or may not be practical with a big machine. > It is only an thought based on the logs of my server on > port 8080. There are no code red entries. >
-- -- Thierry Coopman - THieRRy () sKyNet be - I realise computers suck. The only reason why they are a hobby of mine is because I enjoy pain! _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Cod Red HELP!!!!, (continued)
- Re: Cod Red HELP!!!! s I n (Aug 07)
- Re: Cod Red HELP!!!! Lance Spitzner (Aug 07)
- RE: Cod Red HELP!!!! van Oosterom, Peter (Aug 07)
- Re: Cod Red HELP!!!! Ralf Hildebrandt (Aug 07)
- RE: Cod Red HELP!!!! Mark Spieth (Aug 07)
- Re: Cod Red HELP!!!! Ralf Hildebrandt (Aug 07)
- RE: Cod Red HELP!!!! Nigel Morse (Aug 07)
- RE: Cod Red HELP!!!! s I n (Aug 07)
- RE: Cod Red HELP!!!! Carolyn Beckman (Aug 07)
- Code Red and port 443 (was RE: Code Red HELP!!!!) George D. Nincehelser (Aug 07)
- Re: Code Red and port 443 (was RE: Code Red HELP!!!!) Carolyn Beckman (Aug 07)
- Re: Code Red and port 443 (was RE: Code Red HELP!!!!) Thierry Coopman (Aug 08)
- Re: Code Red and port 443 (was RE: Code Red HELP!!!!) Mike Johnson (Aug 08)
- Re: Re: Code Red and port 443 (was RE: Code Red HELP!!!!) Marsiske Stefan (Aug 08)
- Re: Code Red and port 443 (was RE: Code Red HELP!!!!) Mike Johnson (Aug 08)
- Re: Code Red and port 443 (was RE: Code Red HELP!!!!) Erek Adams (Aug 08)
- RE: Cod Red HELP!!!! s I n (Aug 07)
- Re: Code Red and port 443 (was RE: Code Red HELP!!!!) Jason Haar (Aug 08)
- RE: Cod Red HELP!!!! s I n (Aug 07)
- Re: RE: Cod Red HELP!!!! Kyle R Maxwell (Aug 07)
- Re: RE: Cod Red HELP!!!! s I n (Aug 08)
- Re: RE: Cod Red HELP!!!! Erek Adams (Aug 08)
- Re: RE: Cod Red HELP!!!! tibuq (Aug 08)