[Oisf-users] problem with forged tls and fallchill
erik clark
philosnef at gmail.com
Mon Nov 27 17:04:42 UTC 2017
Thanks Michal, Cooper. This is exactly what I wanted. I did not know about
app-layer filtering. Teach a man to fish and all that.
On Mon, Nov 27, 2017 at 11:53 AM, Michał Purzyński <
michalpurzynski1 at gmail.com> wrote:
> I second that
>
> https://gist.github.com/mpurzynski/3d1c17b53ed0f46effde4de426d2385d
>
>
>
> On Mon, Nov 27, 2017 at 5:42 PM, Cooper F. Nelson <cnelson at ucsd.edu>
> wrote:
> >
> > I use these to good effect...
> >
> > > alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"LOCAL Port 443
> > > outbound but not SSL/TLS"; flow:to_server; app-layer-protocol:!tls;
> > > prefilter; sid:8;)
> > > alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"LOCAL Port 443
> > > inbound but not SSL/TLS"; flow:to_server; app-layer-protocol:!tls;
> > > prefilter; sid:9;)
> >
> > On 11/27/2017 8:26 AM, erik clark wrote:
> > > My question is, is there a fast way to say "This isn't tls on a tls
> > > port" without mucking around with bytes at given offsets and
> > > whathaveyou? It is clearly not tls, so I would think suri has a way to
> > > inspect for that?
> >
> >
> > --
> > Cooper Nelson
> > Network Security Analyst
> > UCSD ITS Security Team
> > cnelson at ucsd.edu x41042
> >
> >
> >
> > _______________________________________________
> > Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> > Site: http://suricata-ids.org | Support: http://suricata-ids.org/
> support/
> > List: https://lists.openinfosecfoundation.org/
> mailman/listinfo/oisf-users
> >
> > Conference: https://suricon.net
> > Trainings: https://suricata-ids.org/training/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20171127/4a4d255d/attachment-0002.html>
More information about the Oisf-users
mailing list