Snort mailing list archives
Re: Writing custom rule for SSL 401 errors
From: Jason Brvenik <security () brvenik com>
Date: Tue, 13 Aug 2002 20:48:11 -0400
A clarification, I should have said it is encrypted using SSL and _should_ be different for every session if properly implemented. I did not intend to imply that all encryption was dynamic. That being said, I have solved this problem in the past with reverse proxies or accelerators. Unfortunately, I just got done checking the docs for my favorite open source proxy and see that it does not support SSL in a reverse proxy mode. There are other options though. 1) An accellerator. Not cheap. 2) Commercial proxies. Not Cheap 3) An open source proxy that does support it. ( If you find one please forward the info to me) 4) maybe mod_proxy with apache? 6) stunnel I know you can do it with stunnel so try it this way for a low budget option get stunnel at http://www.stunnel.org read the docs set it up for realip:443 connecting to localhost:80 and have snort listen on the loopback. or use a closed net between an stunnel host and the web server. HTH Jason. "Dan Mahoney, System Admin" wrote:
On Tue, 13 Aug 2002, Jason wrote:it is encrypted and as a result will be different every time. The only to catch the actual content would be to front end the system and have snort see the clear traffic.Well, hrmm, here's a thought, but it's ugly. Have apache log to "tee", and pipe that over a symmetrically encrypted tunnel with netcat to anywhere on the lan and monitor that. (or for that matter, an asymmetrically encrypted tunnel to your sniffer) I said it was ugly. But it's the first thing I can come up with off the top of my head. -DanJason Hicks, John wrote:why not just sniff the traffic on a session you create? -----Original Message----- From: Eric Joe [mailto:sysop () tje1 com] Sent: Tuesday, August 13, 2002 2:24 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Writing custom rule for SSL 401 errors Hello, I am trying to write a snort rule that sends an alert when someone gets a 401 "Authorization Required" error while using SSL. I have the non-SSL rule working as such alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES Http Failed Authorization"; content: "HTTP/1.\ 1 401 "; flags:A+; classtype:bad-unknown; sid:1000001; rev:1;) It works fine, but with SSL encryption I am having trouble with the "content" parameter. I guess if I knew what HTTP/1.1 401 looked like when its encrypted, it would be a piece of cake. Anyone have any insight on this? Thanks in advance.------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users-- "I wish the Real World would just stop hassling me!" -Matchbox 20, Real World, off the album "Yourself or Someone Like You" --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Web: http://prime.gushi.org finger danm () prime gushi org for pgp public key and tel# ---------------------------
------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Writing custom rule for SSL 401 errors Eric Joe (Aug 13)
- Re: Writing custom rule for SSL 401 errors Matt Kettler (Aug 13)
- Re: Writing custom rule for SSL 401 errors Stefan Dens (Aug 17)
- <Possible follow-ups>
- RE: Writing custom rule for SSL 401 errors McCammon, Keith (Aug 13)
- RE: Writing custom rule for SSL 401 errors Hicks, John (Aug 13)
- Re: Writing custom rule for SSL 401 errors Jason (Aug 13)
- Re: Writing custom rule for SSL 401 errors Dan Mahoney, System Admin (Aug 13)
- Re: Writing custom rule for SSL 401 errors Jason Brvenik (Aug 13)
- Re: Writing custom rule for SSL 401 errors David Yip (Aug 14)
- Re: Writing custom rule for SSL 401 errors Jason (Aug 13)