Snort mailing list archives
Re: Writing custom rule for SSL 401 errors
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 13 Aug 2002 16:21:40 -0400
With SSL what you suggest should theoretically be impossible, or at least so computational infeasible that it's impossible in reasonable time. It's purposefully designed to prevent exactly what you propose doing :).
If it were possible to identify the contents encrypted data, it wouldn't exactly be encrypted very well, now would it? A simple known plaintext attack, such as this, is considered to be a severe weakness in most cryptosystems, since most protocols have lots of common headers and other known plaintext.
That's why ideally all keys are random, as are initialization vectors and data padding. No two encryptions of the same data should look the same due to the constantly changing keys, etc.
At 02:23 PM 8/13/2002 -0400, Eric Joe wrote:
Hello, I am trying to write a snort rule that sends an alert when someone gets a 401 "Authorization Required" error while using SSL. I have the non-SSL rule working as such alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES Http Failed Authorization"; content: "HTTP/1.\ 1 401 "; flags:A+; classtype:bad-unknown; sid:1000001; rev:1;) It works fine, but with SSL encryption I am having trouble with the "content" parameter. I guess if I knew what HTTP/1.1 401 looked like when its encrypted, it would be a piece of cake. Anyone have any insight on this? Thanks in advance.
------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Writing custom rule for SSL 401 errors Eric Joe (Aug 13)
- Re: Writing custom rule for SSL 401 errors Matt Kettler (Aug 13)
- Re: Writing custom rule for SSL 401 errors Stefan Dens (Aug 17)
- <Possible follow-ups>
- RE: Writing custom rule for SSL 401 errors McCammon, Keith (Aug 13)
- RE: Writing custom rule for SSL 401 errors Hicks, John (Aug 13)
- Re: Writing custom rule for SSL 401 errors Jason (Aug 13)
- Re: Writing custom rule for SSL 401 errors Dan Mahoney, System Admin (Aug 13)
- Re: Writing custom rule for SSL 401 errors Jason Brvenik (Aug 13)
- Re: Writing custom rule for SSL 401 errors David Yip (Aug 14)
- Re: Writing custom rule for SSL 401 errors Jason (Aug 13)