[Oisf-users] problem with forged tls and fallchill

Michał Purzyński michalpurzynski1 at gmail.com
Mon Nov 27 16:53:22 UTC 2017


I second that

https://gist.github.com/mpurzynski/3d1c17b53ed0f46effde4de426d2385d



On Mon, Nov 27, 2017 at 5:42 PM, Cooper F. Nelson <cnelson at ucsd.edu> wrote:
>
> I use these to good effect...
>
> > alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"LOCAL Port 443
> > outbound but not SSL/TLS"; flow:to_server; app-layer-protocol:!tls;
> > prefilter; sid:8;)
> > alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"LOCAL Port 443
> > inbound but not SSL/TLS"; flow:to_server; app-layer-protocol:!tls;
> > prefilter; sid:9;)
>
> On 11/27/2017 8:26 AM, erik clark wrote:
> > My question is, is there a fast way to say "This isn't tls on a tls
> > port" without mucking around with bytes at given offsets and
> > whathaveyou? It is clearly not tls, so I would think suri has a way to
> > inspect for that?
>
>
> --
> Cooper Nelson
> Network Security Analyst
> UCSD ITS Security Team
> cnelson at ucsd.edu x41042
>
>
>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>
> Conference: https://suricon.net
> Trainings: https://suricata-ids.org/training/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171127/5e841efb/attachment-0002.html>


More information about the Oisf-users mailing list