[Emerging-Sigs] SSL Renegotiation
kevross33 at googlemail.com
Mon Oct 31 18:12:38 EST 2011
This detection is better:
On 31 October 2011 19:24, Rich Rumble <richrumble at gmail.com> wrote:
> On Tue, Oct 25, 2011 at 1:47 PM, Rich Rumble <richrumble at gmail.com> wrote:
> > Would it be best to use a threshold rule of some sort, or are there
> other ways
> > in Snort and or Suricata that would be better?
> > http://www.thc.org/thc-ssl-dos/
> This is my first real threshold rule, I'm simply looking for
> this string: 14 03 01 00 01 01
> There are other rules that are similar (sid:2003008, 2003009, 2003018,
> I'm not sure how to better narrow down to these ports:
> 443, 465, 563, 636, 989, 990, 993, 995, 5223
> which are typical services over SSL/TLS. Right now the rule might be a
> bit costly with
> "any" being used. No "SSL_Ports" variable that I can find in Snort or
> Suri, I wonder
> if SSL might be port agnostic like Http is in Suri?
> I've been able to get this to FP by holding F5 in a browser and doing a
> search (https://google.com) or in gmail holding F5. I've tried to tune it
> to the
> THC tool and a Bash script they also published, it's working well so far...
> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS SSL
> Renegotiation"; flow:established; ssl_state: server_hello;
> content:"|14 03 01 00 01 01|"; detection_filter:track by_src, count 8,
> seconds 1; reference:url,http://www.thc.org/thc-ssl-dos; sid:1000001;)
> Maybe the folks on the Pro side would be better suited for such a
> rule, but to me the bash
> script and the thc-ssl-dos tool look very similar, but are not exact
> matches in traffic generated.
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs