Snort mailing list archives
Re: Detecting TCP session without data after three-wayhandshake
From: Seth Hall <seth () remor com>
Date: Fri, 4 Nov 2011 09:24:18 -0400
On Nov 3, 2011, at 10:56 PM, Jason Haar wrote:
I learnt one thing: if you make a legitimate SSL transaction against an HTTPS server (to scrape the public cert) - APACHE WON'T LOG ANYTHING - including errors. That's what I think happened. They made a SSL request, got the cert (which generates no logs) then connected back to the hostnames mentioned in the cert - ensuring they don't get whacked by WAFs/etc.
They didn't necessarily connect back. The tool they're using could have just watched for the CN in the cert then used that for the Host header in the request. The bigger question might be if they used that hostname in the "server_name" SSL extension since you have to know about the hostname ahead of time because it's sent in the client hello before the certificate exchange. .Seth ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Detecting TCP session without data after three-way handshake Willst Mail (Nov 02)
- Re: Detecting TCP session without data after three-way handshake Edward Fjellskål (Nov 03)
- Re: Detecting TCP session without data after three-wayhandshake Jason Haar (Nov 03)
- Re: Detecting TCP session without data after three-wayhandshake Giles Coochey (Nov 04)
- Re: Detecting TCP session without data after three-wayhandshake Martin Holste (Nov 04)
- Re: Detecting TCP session without data after three-wayhandshake Seth Hall (Nov 04)