[Emerging-Sigs] SSL Renegotiation

Rich Rumble richrumble at gmail.com
Mon Oct 31 14:24:54 EST 2011

On Tue, Oct 25, 2011 at 1:47 PM, Rich Rumble <richrumble at gmail.com> wrote:
> Would it be best to use a threshold rule of some sort, or are there other ways
> in Snort and or Suricata that would be better?
> http://www.thc.org/thc-ssl-dos/
This is my first real threshold rule, I'm simply looking for
this string: 14 03 01 00 01 01

There are other rules that are similar (sid:2003008, 2003009, 2003018, 2003019)
I'm not sure how to better narrow down to these ports:
443, 465, 563, 636, 989, 990, 993, 995, 5223
which are typical services over SSL/TLS. Right now the rule might be a
bit costly with
"any" being used.  No "SSL_Ports" variable that I can find in Snort or
Suri, I wonder
if SSL might be port agnostic like Http is in Suri?

I've been able to get this to FP by holding F5 in a browser and doing a google
search (https://google.com) or in gmail holding F5. I've tried to tune it to the
THC tool and a Bash script they also published, it's working well so far...

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS SSL
Renegotiation"; flow:established; ssl_state: server_hello;
content:"|14 03 01 00 01 01|"; detection_filter:track by_src, count 8,
seconds 1; reference:url,http://www.thc.org/thc-ssl-dos; sid:1000001;)

Maybe the folks on the Pro side would be better suited for such a
rule, but to me the bash
script and the thc-ssl-dos tool look very similar, but are not exact
matches in traffic generated.

More information about the Emerging-sigs mailing list