Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Detecting TCP session without data after three-wayhandshake

From: Seth Hall <seth () remor com>
Date: Fri, 4 Nov 2011 09:24:18 -0400

On Nov 3, 2011, at 10:56 PM, Jason Haar wrote:


I learnt one thing: if you make a legitimate SSL transaction against an
HTTPS server (to scrape the public cert) - APACHE WON'T LOG ANYTHING -
including errors. That's what I think happened. They made a SSL request,
got the cert (which generates no logs) then connected back to the
hostnames mentioned in the cert - ensuring they don't get whacked by
WAFs/etc.


They didn't necessarily connect back.  The tool they're using could have just watched for the CN in the cert then used 
that for the Host header in the request.  The bigger question might be if they used that hostname in the "server_name" 
SSL extension since you have to know about the hostname ahead of time because it's sent in the client hello before the 
certificate exchange.

  .Seth


------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: