[Emerging-Sigs] SSL Renegotiation

Kevin Ross kevross33 at googlemail.com
Mon Oct 31 18:12:38 EST 2011


This detection is better:

http://vrt-blog.snort.org/2011/10/ssl-dos-snort-and-you.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Vrt+%28Sourcefire+VRT+-+Vulnerability+Research%2C+Razorback+and+Explosions%29




On 31 October 2011 19:24, Rich Rumble <richrumble at gmail.com> wrote:

> On Tue, Oct 25, 2011 at 1:47 PM, Rich Rumble <richrumble at gmail.com> wrote:
> > Would it be best to use a threshold rule of some sort, or are there
> other ways
> > in Snort and or Suricata that would be better?
> > http://www.thc.org/thc-ssl-dos/
> This is my first real threshold rule, I'm simply looking for
> this string: 14 03 01 00 01 01
>
> There are other rules that are similar (sid:2003008, 2003009, 2003018,
> 2003019)
> I'm not sure how to better narrow down to these ports:
> 443, 465, 563, 636, 989, 990, 993, 995, 5223
> which are typical services over SSL/TLS. Right now the rule might be a
> bit costly with
> "any" being used.  No "SSL_Ports" variable that I can find in Snort or
> Suri, I wonder
> if SSL might be port agnostic like Http is in Suri?
>
> I've been able to get this to FP by holding F5 in a browser and doing a
> google
> search (https://google.com) or in gmail holding F5. I've tried to tune it
> to the
> THC tool and a Bash script they also published, it's working well so far...
> http://www.thc.org/thc-ssl-dos/
>
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS SSL
> Renegotiation"; flow:established; ssl_state: server_hello;
> content:"|14 03 01 00 01 01|"; detection_filter:track by_src, count 8,
> seconds 1; reference:url,http://www.thc.org/thc-ssl-dos; sid:1000001;)
>
> Maybe the folks on the Pro side would be better suited for such a
> rule, but to me the bash
> script and the thc-ssl-dos tool look very similar, but are not exact
> matches in traffic generated.
> -rich
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111031/96187a7c/attachment.html


More information about the Emerging-sigs mailing list