Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: SSL CodeRed et al

From: <bthaler () webstream net>
Date: Tue, 28 May 2002 14:45:11 -0400
To all who replied:

We weren't actually seeing any CodeRed or Nimda traffic over port 443, even
with snort rules in place to detect this.  We are certain that this isn't
happening, but the software developer seems to think that it is.

Even though this application is *not* running IIS, and is therefore immune
to CodeRed/Nimda, this is the excuse they're using.

I just wanted to check with you all, the Snort community, and make sure that
you all have not seen this type of traffic before.

After careful consideration, we have determined that this particular support
person (the guy who said that SSL CodeRed is making our server crash) is
full of crap.

Thanks for the replies.






Sincerely,

Brad T.

-----Original Message-----
From: Frank Knobbe [mailto:fknobbe () knobbeits com]
Sent: Tuesday, May 28, 2002 2:38 PM
To: East, Bill
Cc: 'bthaler () webstream net'; 'snort-users () lists sourceforge net'
Subject: RE: [Snort-users] SSL CodeRed et al


I doubt that it's CodeRed running over SSL. More like is that script
kiddies are running their exploit tools (for Unicode, MDAC, etc) over an
SSL session to evade capture by IDS.

As pointed out already, check your logs.

Oh, you said: "The developer is claiming that the problem is CodeRed or
Nimda attacking on the SSL port." Well? Do the developer mean that they
have not secured the box against it? And if they did, CodeRed would not
cause any harm. Sounds like they are just full of it.

Regards,
Frank



On Tue, 2002-05-28 at 11:16, East, Bill wrote:


I know I wouldn't be able to see the encrypted traffic, but
that's only an
issue if the worm is actually making a SSL connection, which
I seriously
doubt.

If, on the other hand, the worm was just blindly sending the
exploit data to
port 443, Snort would be able to pick it up.

Either way, I think they're full of crap too.  They're
product isn't based
on IIS, so these worms shouldn't be an issue.



Encrypted or no, if either worm was hitting the server, you

would see the

attack strings in IIS's logfiles. I would not rule out someone

rewriting the

worms to use SSL, but on the other hand I have not seen that

traffic (yet).






_______________________________________________________________

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: