Re: Writing custom rule for SSL 401 errors

[Matt Kettler <mkettler () evi-inc com>]

With SSL what you suggest should theoretically be impossible, or at least 
so computational infeasible that it's impossible in reasonable time. It's 
purposefully designed to prevent exactly what you propose doing :).

If it were possible to identify the contents encrypted data, it wouldn't 
exactly be encrypted very well, now would it? A simple known plaintext 
attack, such as this, is considered to be a severe weakness in most 
cryptosystems, since most protocols have lots of common headers and other 
known plaintext.

That's why ideally all keys are random, as are initialization vectors and 
data padding. No two encryptions of the same data should look the same due 
to the constantly changing keys, etc.


At 02:23 PM 8/13/2002 -0400, Eric Joe wrote:
> Hello,
> I am trying to write a snort rule that sends an alert when someone gets a
> 401 "Authorization Required" error while using SSL. I have the non-SSL
> rule working as such
> alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK
> RESPONSES Http Failed Authorization"; content: "HTTP/1.\
> 1 401 "; flags:A+; classtype:bad-unknown; sid:1000001; rev:1;)
>
> It works fine, but with SSL encryption I am having trouble with the
> "content" parameter. I guess if I knew what HTTP/1.1 401  looked like when
> its encrypted, it would be a piece of cake.
> Anyone have any insight on this?  Thanks in advance.



-------------------------------------------------------
This sf.net email is sponsored by: Dice - The leading online job board
for high-tech professionals. Search and apply for tech jobs today!
http://seeker.dice.com/seeker.epl?rel_code=31
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users