Snort mailing list archives
Re: Writing custom rule for SSL 401 errors
From: "Stefan Dens" <stefan.dens () pandora be>
Date: Tue, 13 Aug 2002 22:04:37 +0200
Hi, It is inpossible to write a rule for ssl, if a webserver would encrypt with a default encryption key then the whole SSL concept would not exists. Sorry, Stefan Dens ----- Original Message ----- From: "Eric Joe" <sysop () tje1 com> To: <snort-users () lists sourceforge net> Sent: Tuesday, August 13, 2002 8:23 PM Subject: [Snort-users] Writing custom rule for SSL 401 errors
Hello, I am trying to write a snort rule that sends an alert when someone gets a 401 "Authorization Required" error while using SSL. I have the non-SSL rule working as such alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES Http Failed Authorization"; content: "HTTP/1.\ 1 401 "; flags:A+; classtype:bad-unknown; sid:1000001; rev:1;) It works fine, but with SSL encryption I am having trouble with the "content" parameter. I guess if I knew what HTTP/1.1 401 looked like when its encrypted, it would be a piece of cake. Anyone have any insight on this? Thanks in advance. -- Eric Joe Network Operations Journey's End Internet/Computer Connection Inc ------------------------------------------------------- This sf.net email is sponsored by: Dice - The leading online job board for high-tech professionals. Search and apply for tech jobs today! http://seeker.dice.com/seeker.epl?rel_code=31 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Writing custom rule for SSL 401 errors Eric Joe (Aug 13)
- Re: Writing custom rule for SSL 401 errors Matt Kettler (Aug 13)
- Re: Writing custom rule for SSL 401 errors Stefan Dens (Aug 17)
- <Possible follow-ups>
- RE: Writing custom rule for SSL 401 errors McCammon, Keith (Aug 13)
- RE: Writing custom rule for SSL 401 errors Hicks, John (Aug 13)
- Re: Writing custom rule for SSL 401 errors Jason (Aug 13)
- Re: Writing custom rule for SSL 401 errors Dan Mahoney, System Admin (Aug 13)
- Re: Writing custom rule for SSL 401 errors Jason Brvenik (Aug 13)
- Re: Writing custom rule for SSL 401 errors David Yip (Aug 14)
- Re: Writing custom rule for SSL 401 errors Jason (Aug 13)