#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Encrypted Application Data on Unusual Port"; flowbits:isset,BS.SSL.Established; flow:established,to_server; content:"|17 03 01|"; depth:4; threshold:type limit, count 1, seconds 120, track by_src; reference:url,doc.emergingthreats.net/2003020; classtype:unusual-client-port-connection; sid:2003020; rev:9; metadata:created_at 2010_07_30, updated_at 2010_07_30;)

Added 2017-08-07 20:56:24 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Encrypted Application Data on Unusual Port"; flowbits:isset,BS.SSL.Established; flow:established,to_server; content:"|17 03 01|"; depth:4; threshold:type limit, count 1, seconds 120, track by_src; reference:url,doc.emergingthreats.net/2003020; classtype:unusual-client-port-connection; sid:2003020; rev:9;)

Added 2011-10-12 19:12:43 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Encrypted Application Data on Unusual Port"; flowbits:isset,BS.SSL.Established; flow:established,to_server; content:"|17 03 01|"; depth:4; threshold:type limit, count 1, seconds 120, track by_src; classtype:unusual-client-port-connection; reference:url,doc.emergingthreats.net/2003020; sid:2003020; rev:9;)

Added 2011-09-14 22:25:41 UTC


#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Encrypted Application Data on Unusual Port"; flowbits:isset,BS.SSL.Established; flow:established,to_server; content:"|17 03 01|"; depth:4; threshold:type limit, count 1, seconds 120, track by_src; classtype:unusual-client-port-connection; reference:url,doc.emergingthreats.net/2003020; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003020; rev:9;)

Added 2011-02-04 17:22:12 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Encrypted Application Data on Unusual Port"; flowbits:isset,BS.SSL.Established; flow:established,to_server; content:"|17 03 01|"; depth:4; threshold:type limit, count 1, seconds 120, track by_src; classtype:unusual-client-port-connection; reference:url,doc.emergingthreats.net/2003020; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003020; rev:9;)

Added 2009-02-11 19:15:23 UTC

Creates false positives when you connect to StoneGate? Management Server to administer StoneSoft? products.

tcpdump capture:

reading from file snort.log.1236381626, link-type EN10MB (Ethernet)
000000 00:1c:25:72:56:e5 > 00:00:5e:92:51:9d, ethertype IPv4 (0x0800), length 103: (tos 0x0, ttl  64, id 43655, offset 0, flags [DF], proto: TCP (6), length: 89) 172.25.50.28.36701 > 172.25.65.3.8905: P, cksum 0xf2b9 (correct), 1067692259:1067692296(37) ack 3415917563 win 12 <nop,nop,timestamp 52763178 17826870>
120. 348804 00:1c:25:72:56:e5 > 00:00:5e:92:51:9d, ethertype IPv4 (0x0800), length 95: (tos 0x0, ttl  64, id 43983, offset 0, flags [DF], proto: TCP (6), length: 81) 172.25.50.28.36701 > 172.25.65.3.8905: P, cksum 0x9bc2 (correct), 132505:132534(29) ack 212677 win 860 <nop,nop,timestamp 52883527 17946870>
124. 779208 00:1c:25:72:56:e5 > 00:00:5e:92:51:9d, ethertype IPv4 (0x0800), length 95: (tos 0x0, ttl  64, id 55235, offset 0, flags [DF], proto: TCP (6), length: 81) 172.25.50.28.58647 > 172.25.65.3.8905: P, cksum 0xfad7 (correct), 1323727344:1323727373(29) ack 3661207752 win 80 <nop,nop,timestamp 53008306 18067510>
124. 863210 00:1c:25:72:56:e5 > 00:00:5e:92:51:9d, ethertype IPv4 (0x0800), length 95: (tos 0x0, ttl  64, id 55563, offset 0, flags [DF], proto: TCP (6), length: 81) 172.25.50.28.58647 > 172.25.65.3.8905: P, cksum 0x5102 (correct), 134490:134519(29) ack 216243 win 934 <nop,nop,timestamp 53133169 18192430>

-- CarlosLopez - 06 Mar 2009

Hi Carlos.

Thats a real positive actually, but not for what you are looking for.

The sig is intended to identify SSL traffic on unexpected ports. There are a set of sigs before this that will unset the flowbit for EXPECTED common SSL ports. You can add a similar sig for this port's traffic and you should be good to go.

See here:

http://www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port?rev=1.5;content-type=text%2Fplain

for the set of sigs. That help?

Matt

-- MattJonkman - 07 Mar 2009


alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Encrypted Application Data on Unusual Port"; flowbits:isset,BS.SSL.Established; flow:established,to_server; content:"|17 03 01|"; depth:4; threshold:type limit, count 1, seconds 120, track by_src; classtype:unusual-client-port-connection; reference:url,doc.emergingthreats.net/2003020; reference:url,www.emergingthreats.net/cgi-bin/cvsweb.cgi/sigs/POLICY/POLICY_SSL_TLS_on_High_Port; sid:2003020; rev:9;)

Added 2009-02-11 19:15:23 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Encrypted Application Data on Unusual Port"; flowbits:isset,BS.SSL.Established; flow:established,to_server; content:"|17 03 01|"; depth:4; threshold:type limit, count 1, seconds 120, track by_src; classtype:unusual-client-port-connection; sid:2003020; rev:8;)

Added 2008-12-03 11:15:22 UTC

Creates a false positive when you are trying to connect to a Webmin page on the local network from another local computer.

Here is a copy and paste of the payload:

Basic Analysis and Security Engine (BASE) Home | Search | User Preferences | Logout [ Back ]

Queried on : Sun February 01, 2009 17:00:02 Meta Criteria any IP Criteria any Layer 4 Criteria none Payload Criteria any Added 2 alert(s) to the Alert cache Alert #3

Meta ID # Time Triggered Signature 2 - 1222 2009-02-01 16:51:33 [local] [EmThreats] ET POLICY TLS/SSL Encrypted Application Data on Unusual Port Sensor Sensor Address Interface Filter unknown:eth0 eth0 none Alert Group none IP Source Address Dest. Address Ver Hdr Len TOS length ID fragment offset TTL chksum 192.168.1.218 192.168.1.135 4 20 0 493 1456 no 0 128 28329 = 0x6ea9 Options none TCP Source Port Dest Port R 1 R 0 U R G A C K P S H R S T S Y N F I N seq # ack offset res window urp chksum 49236 [sans] [tantalo] [sstats] 10000 [sans] [tantalo] [sstats] X X 2723400842 2551651045 20 0 16787 0 63809 = 0xf941 Options none Payload

Plain Display

Download of Payload

Download in pcap format

length = 453

000 : 17 03 01 01 C0 F3 4C E6 BB C8 A4 47 B8 33 D5 80 ......L....G.3.. 010 : 6E 48 3A DD B1 8A 45 27 FF CD B2 A7 61 5F 9F 6A nH:...E'....a_.j 020 : 68 C8 43 12 F9 B1 F8 94 88 3F B9 A1 B4 10 8A 25 h.C......?.....% 030 : E8 86 5C 27 3C 4F BC 74 CF F0 4B 54 95 6A 55 D7 ..'<O.t..KT.jU. 040 : A9 21 9B B2 D1 69 0D 7E 8B 80 39 39 BB 90 FA 19 .!...i.~..99.... 050 : 4B 02 C0 0C FE B1 0A CA CB 3D 55 A1 5F A4 BD C5 K........=U._... 060 : 92 5C A4 7A 5D 2E E5 0C B9 32 4E 86 C2 49 37 4C .\.z]....2N..I7L 070 : 4B 0D 2C 95 E1 14 DB CC CF E1 FA 92 6E 46 AD 12 K.,.........nF.. 080 : F3 63 99 10 7A 95 BE E9 38 15 AC 77 C8 BC 98 19 .c..z...8..w.... 090 : EF 0F 0C 26 58 AA 2A EE 6D 68 DE CF 30 80 C9 5B ...&X.*.mh..0..[ 0a0 : 2B 80 0E 7D 5B 5F BB 62 24 E9 C2 AC D0 F8 FD 0C +..}[_.b$....... 0b0 : 86 EC 9C 72 95 FA 03 E4 C4 6E BF D4 62 B8 72 38 ...r.....n..b.r8 0c0 : C7 F3 28 EC AF E2 1C 46 A9 2F 44 D9 B6 3E EB A8 ..(....F./D..>.. 0d0 : 83 2A 28 54 BC 01 32 21 2C 25 E8 05 08 2E BC 59 .*(T..2!,%.....Y 0e0 : 27 F4 3A B5 6C 74 2A 48 C5 AE A1 2F 44 05 2B 07 '.:.lt*H.../D.+. 0f0 : 73 09 6C BA 88 97 A1 A8 2E 28 08 BF D3 27 75 F7 s.l......(...'u. 100 : 6F C1 64 62 15 AB 7C 41 7D 30 C0 A4 60 56 B6 BA o.db..|A}0..`V.. 110 : 20 09 43 68 D1 B9 42 89 FB 28 8B 2A 2A 40 C7 77 .Ch..B..(.**@.w 120 : F2 1E C4 65 6A F9 84 55 61 91 77 36 2B 54 2E A6 ...ej..Ua.w6+T.. 130 : 1D FB CE C5 A0 4E 32 04 0B CA 7B C0 57 9A 9C 29 .....N2...{.W..) 140 : 94 9A 90 47 3F 3F 26 EA 6B 0A E1 6E 6F 7E B9 56 ...G??&.k..no~.V 150 : DF 88 C5 A7 16 23 7B 50 5A CE 07 6E 28 EA B8 ED .....#{PZ..n(... 160 : C0 E6 F5 90 B5 78 3C 48 7B 75 54 AB A8 F6 58 05 .....x<H{uT...X. 170 : 07 1C 80 57 C4 AD 8D 9E 14 03 2B 97 21 3F E3 C7 ...W......+.!?.. 180 : 16 3A 17 31 DD 64 E0 31 FF 23 3F 57 FB 67 C5 16 .:.1.d.1.#?W.g.. 190 : A5 74 E2 36 C1 51 AB 79 66 C0 0F 0B 0F 31 EE 37 .t.6.Q.yf....1.7 1a0 : C2 C8 D7 89 27 11 B0 5E B2 20 16 E1 98 0C 35 70 ....'..^. ....5p 1b0 : B1 D2 6B A7 78 4B 1C AB F2 93 B1 F6 59 B9 D7 0D ..k.xK......Y... 1c0 : BC 10 0E C8 14 .....

ACTION

Alert Group Maintenance | Cache & Status | User Preferences | Logout | Administration BASE 1.4.1 (lara) (by Kevin Johnson and the BASE Project Team Built on ACID by Roman Danyliw )

[Loaded in 0 seconds]

-- RupertPlumridge - 01 Feb 2009


alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Encrypted Application Data on Unusual Port"; flowbits:isset,BS.SSL.Established; flow:established,to_server; content:"|17 03 01|"; depth:4; threshold:type limit, count 1, seconds 120, track by_src; classtype:unusual-client-port-connection; sid:2003020; rev:8;)

Added 2008-12-03 11:15:22 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Encrypted Application Data on Unusual Port"; flowbits:isset,BS.SSL.Established; flow:established,from_server; content:"|17 03 01|"; depth:4; threshold:type limit, count 1, seconds 120, track by_src; classtype:unusual-client-port-connection; sid:2003020; rev:7;)

Added 2008-09-10 11:30:21 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET POLICY TLS/SSL Encrypted Application Data on Unusual Port"; flowbits:isset,BS.SSL.Established; flow:established,from_server; content:"|17 03 01|"; depth:4; threshold:type limit, count 1, seconds 120, track by_src; classtype:unusual-client-port-connection; sid:2003020; rev:7;)

Added 2008-09-10 11:30:21 UTC


alert tcp any any -> any 1024:65535 (msg:"ET POLICY TLS/SSL Encrypted Application Data on Unusual Port"; flowbits:isset,BS.SSL.Established; flow:established,from_server; content:"|17 03 01|"; depth:4; threshold:type limit, count 1, seconds 120, track by_src; classtype:unusual-client-port-connection; sid:2003020; rev:6;)

Added 2008-01-31 18:48:10 UTC


alert tcp any any -> any 1024:65535 (msg:"ET POLICY TLS/SSL Encrypted Application Data on Unusual Port"; flowbits:isset,BS.SSL.Established; flow:established,from_server; content:"|17 03 01|"; depth:4; threshold:type limit, count 1, seconds 120, track by_src; classtype:unusual-client-port-connection; sid:2003020; rev:6;)

Added 2008-01-31 18:48:10 UTC


alert tcp any any -> any 1024:65535 (msg:"BLEEDING-EDGE POLICY TLS/SSL Encrypted Application Data on Unusual Port"; flowbits:isset,BS.SSL.Established; flow:established,from_server; content:"|17 03 01|"; depth:4; threshold:type limit, count 1, seconds 120, track by_src; classtype:unusual-client-port-connection; sid:2003020; rev:5;)


Please enter documentation, comments, false positives, or concerns with this signature. Press the Attach button below to add samples or Pcaps.

-

Topic revision: r5 - 2009-03-07 - MattJonkman
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats