[Emerging-Sigs] SSL Renegotiation

Philip Martin phillip.martin at gmail.com
Mon Oct 31 23:13:19 EST 2011


If you disable SSL renegotiation in your services (which, I grant you,
is more feasible at a medium-size company scale), a rule like Rich
proposed would be useful.

The THC tool has published 2 methods of attack: in-session
renegotiation and multiple session establishment.  With the SSL
preproc set to ignore SSL-encrypted sessions (as is the default),
snort will not alert on the in-session method.  Letting snort inspect
encrypted traffic is not feasible for most people, so we're left with
closing off that attack vector and alerting on, or dropping, the
multiple session attack.

I have a set of rules very similar to the rule rich published on my
employer's DMZ-fronting snort IPS.

-Philip

On Mon, Oct 31, 2011 at 4:12 PM, Kevin Ross <kevross33 at googlemail.com> wrote:
> This detection is better:
>
> http://vrt-blog.snort.org/2011/10/ssl-dos-snort-and-you.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Vrt+%28Sourcefire+VRT+-+Vulnerability+Research%2C+Razorback+and+Explosions%29
>
>
>
>
> On 31 October 2011 19:24, Rich Rumble <richrumble at gmail.com> wrote:
>>
>> On Tue, Oct 25, 2011 at 1:47 PM, Rich Rumble <richrumble at gmail.com> wrote:
>> > Would it be best to use a threshold rule of some sort, or are there
>> > other ways
>> > in Snort and or Suricata that would be better?
>> > http://www.thc.org/thc-ssl-dos/
>> This is my first real threshold rule, I'm simply looking for
>> this string: 14 03 01 00 01 01
>>
>> There are other rules that are similar (sid:2003008, 2003009, 2003018,
>> 2003019)
>> I'm not sure how to better narrow down to these ports:
>> 443, 465, 563, 636, 989, 990, 993, 995, 5223
>> which are typical services over SSL/TLS. Right now the rule might be a
>> bit costly with
>> "any" being used.  No "SSL_Ports" variable that I can find in Snort or
>> Suri, I wonder
>> if SSL might be port agnostic like Http is in Suri?
>>
>> I've been able to get this to FP by holding F5 in a browser and doing a
>> google
>> search (https://google.com) or in gmail holding F5. I've tried to tune it
>> to the
>> THC tool and a Bash script they also published, it's working well so
>> far...
>> http://www.thc.org/thc-ssl-dos/
>>
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DOS SSL
>> Renegotiation"; flow:established; ssl_state: server_hello;
>> content:"|14 03 01 00 01 01|"; detection_filter:track by_src, count 8,
>> seconds 1; reference:url,http://www.thc.org/thc-ssl-dos; sid:1000001;)
>>
>> Maybe the folks on the Pro side would be better suited for such a
>> rule, but to me the bash
>> script and the thc-ssl-dos tool look very similar, but are not exact
>> matches in traffic generated.
>> -rich
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
>> Current!
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through
> Current!
>


More information about the Emerging-sigs mailing list