Snort mailing list archives
RE: SSL CodeRed et al
From: <bthaler () webstream net>
Date: Tue, 28 May 2002 14:45:11 -0400
To all who replied: We weren't actually seeing any CodeRed or Nimda traffic over port 443, even with snort rules in place to detect this. We are certain that this isn't happening, but the software developer seems to think that it is. Even though this application is *not* running IIS, and is therefore immune to CodeRed/Nimda, this is the excuse they're using. I just wanted to check with you all, the Snort community, and make sure that you all have not seen this type of traffic before. After careful consideration, we have determined that this particular support person (the guy who said that SSL CodeRed is making our server crash) is full of crap. Thanks for the replies. Sincerely, Brad T.
-----Original Message----- From: Frank Knobbe [mailto:fknobbe () knobbeits com] Sent: Tuesday, May 28, 2002 2:38 PM To: East, Bill Cc: 'bthaler () webstream net'; 'snort-users () lists sourceforge net' Subject: RE: [Snort-users] SSL CodeRed et al I doubt that it's CodeRed running over SSL. More like is that script kiddies are running their exploit tools (for Unicode, MDAC, etc) over an SSL session to evade capture by IDS. As pointed out already, check your logs. Oh, you said: "The developer is claiming that the problem is CodeRed or Nimda attacking on the SSL port." Well? Do the developer mean that they have not secured the box against it? And if they did, CodeRed would not cause any harm. Sounds like they are just full of it. Regards, Frank On Tue, 2002-05-28 at 11:16, East, Bill wrote:I know I wouldn't be able to see the encrypted traffic, but that's only an issue if the worm is actually making a SSL connection, which I seriously doubt. If, on the other hand, the worm was just blindly sending the exploit data to port 443, Snort would be able to pick it up. Either way, I think they're full of crap too. They're product isn't based on IIS, so these worms shouldn't be an issue.Encrypted or no, if either worm was hitting the server, youwould see theattack strings in IIS's logfiles. I would not rule out someonerewriting theworms to use SSL, but on the other hand I have not seen thattraffic (yet).
_______________________________________________________________ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: SSL CodeRed et al Sean T. Ballard (May 28)
- RE: SSL CodeRed et al bthaler (May 28)
- <Possible follow-ups>
- SSL CodeRed et al bthaler (May 28)
- Re: SSL CodeRed et al Ryan Russell (May 28)
- Re: SSL CodeRed et al Phil Wood (May 28)
- RE: SSL CodeRed et al East, Bill (May 28)
- RE: SSL CodeRed et al Frank Knobbe (May 28)
- RE: SSL CodeRed et al bthaler (May 28)
- RE: SSL CodeRed et al Frank Knobbe (May 28)
- RE: SSL CodeRed et al Jim Grossl (May 28)
- RE: SSL CodeRed et al Wilcoxon, Steve (May 29)