Snort mailing list archives
Re: SSL CodeRed et al
From: Phil Wood <cpw () lanl gov>
Date: Tue, 28 May 2002 10:09:18 -0600
If I got a report like that, I'd slap up a snort with the web rules set for port 443 instead of port 80 as well as buffer overflow checks (again, just for port 443 and the internal web server address), and see what, if anything was going on. Co-ordinate your clocks and see if there is any correlation between traffic seen and their service dying. (what does their web server log show?) This is not a question for consensus. You need data so you can, with some assurance, say "yea" or "nea" to the assertion. You might be able to correlate certain packet traffic with the times that their web server goes down. Take it as a challenge. On Tue, May 28, 2002 at 11:19:45AM -0400, bthaler () webstream net wrote:
Sorry for the dumb question, and I think I already know the answer, but: Has anyone heard of a CodeRed or Nimda variant attacking on port 443 (SSL)? The reason I'm asking, is that we have a web-based interface to an application that runs its own internal web server (not IIS), and the service keeps dying. The developer is claiming that the problem is CodeRed or Nimda attacking on the SSL port. We're about to tell them that they're fll of $hlt, but I wante dto run it by you guys first... Regards, Brad T. _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: SSL CodeRed et al Sean T. Ballard (May 28)
- RE: SSL CodeRed et al bthaler (May 28)
- <Possible follow-ups>
- SSL CodeRed et al bthaler (May 28)
- Re: SSL CodeRed et al Ryan Russell (May 28)
- Re: SSL CodeRed et al Phil Wood (May 28)
- RE: SSL CodeRed et al East, Bill (May 28)
- RE: SSL CodeRed et al Frank Knobbe (May 28)
- RE: SSL CodeRed et al bthaler (May 28)
- RE: SSL CodeRed et al Frank Knobbe (May 28)
- RE: SSL CodeRed et al Jim Grossl (May 28)
- RE: SSL CodeRed et al Wilcoxon, Steve (May 29)