[Oisf-users] problem with forged tls and fallchill
Cooper F. Nelson
cnelson at ucsd.edu
Mon Nov 27 16:42:14 UTC 2017
I use these to good effect...
> alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"LOCAL Port 443
> outbound but not SSL/TLS"; flow:to_server; app-layer-protocol:!tls;
> prefilter; sid:8;)
> alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"LOCAL Port 443
> inbound but not SSL/TLS"; flow:to_server; app-layer-protocol:!tls;
> prefilter; sid:9;)
On 11/27/2017 8:26 AM, erik clark wrote:
> My question is, is there a fast way to say "This isn't tls on a tls
> port" without mucking around with bytes at given offsets and
> whathaveyou? It is clearly not tls, so I would think suri has a way to
> inspect for that?
--
Cooper Nelson
Network Security Analyst
UCSD ITS Security Team
cnelson at ucsd.edu x41042
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171127/5906cdca/attachment-0002.sig>
More information about the Oisf-users
mailing list