snort/postgresql remote ssl logging verification?

Stefan Kuttler Mon, 10 Apr 2006 07:20:47 -0700

Hello List,


according to some snort/postgresql Howto, I managed to get snort remote
logging into a postgresql database. 
now I have the problem of verification, if the traffic really is SSL-traffic.


Doing the following gives some SSL Handshake data:

$ lynx https://blade
$ $ [EMAIL PROTECTED] ssldump -i lnc0
New TCP connection #1: snort.project.local(2034) <-> blade.project.local(443)
1 1  0.0130 (0.0130)  C>S SSLv2 compatible client hello 
  Version 3.1
  cipher suites
  Unknown value 0x39
  [..]

Now that looks like SSL.


After verifying that a connection is established between the two hosts
I listen for packets on the loghost.
Doing some standard (nmap)scan, snort logs data remotely:

$ tcpdump  -w trace -c3 -s0 -vvvtttX host 172.16.0.2 and port 5432
tcpdump: listening on lnc0
000000 snort.project.local.4666 > blade.project.local.postgresql: P [tcp sum 
ok] 1871798127:1871798201(74) ack 2122693707 win 58400 (DF) (ttl 61, id 58079, 
len 114)
0x0000   4500 0072 e2df 4000 3d06 3180 0a0a 0a89        [EMAIL PROTECTED]
0x0010   0a0a 0a8a 123a 1538 6f91 5f6f 7e85 bc4b        .....:.8o._o~..K
0x0020   5018 e420 bd14 0000 1703 0100 20b3 65a3        P.............e.
0x0030   203a 9ed2 6273 2140 d581 ae89 8b1e 2467        .:[EMAIL PROTECTED]
0x0040   f76f 7a3a e2a1 a1b0 5259 03a0 8817 0301        .oz:....RY......
0x0050   0020 a92c 8807 e5f3 bfa8 ea44 9c76 c98e        ...,.......D.v..
0x0060   4499 a5c5 b16b 643d 4229 cf81 34ac b2d8        D....kd=B)..4...
0x0070   a7b5                                           ..
001438 blade.project.local.postgresql > snort.project.local.4666: P [tcp sum 
ok] 1:91(90) ack 74 win 58400 (DF) (ttl 61, id 53933, len 130)
0x0000   4500 0082 d2ad 4000 3d06 41a2 0a0a 0a8a        [EMAIL PROTECTED]
0x0010   0a0a 0a89 1538 123a 7e85 bc4b 6f91 5fb9        .....8.:~..Ko._.
0x0020   5018 e420 baea 0000 1703 0100 2047 1290        P............G..
0x0030   0c29 96f8 ece4 4260 55a0 e371 96f2 82cf        .)....B`U..q....
0x0040   0fd9 39b0 e980 23c8 69a4 0979 5c17 0301        ..9...#.i..y\...
0x0050   0030 4fd4 7375 6eaa 476b fe41 e67a 24d2        .0O.sun.Gk.A.z$.
0x0060   c096 b3b9 cabb f0f5 5e1d 663d c1a6 ddbd        ........^.f=....
0x0070   7190 3255 a3b9 397d dc41 7d27 6305 1fb0        q.2U..9}.A}'c...
0x0080   a879                                           .y

[..]

But  
$ ssldump -i lnc0 -r trace port 5432 gives nothing.

I suspect this to not show a SSL Handshake, because it will only made
once (when initializing the connection between snort and the loghost-db),
but I am not sure. Is there any other way to guess if the trace is SSL
or not? Looking at it, I can't see plain text of course :)



-- 
Gruss

Stefan Kuttler (B.O.F.H.)    .ooO=Ooo.    https://www.netbeisser.de
 
GPG Fingerprint:  E7AC 1E9B 87D8 5BD2 E2F2 6F4A 3177 ED68 8185 480C
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [email protected]
Automated List Manager                           [EMAIL PROTECTED]

snort/postgresql remote ssl logging verification?

Reply via email to