|
|
Re: WEB-MISC SSLv3 invalid Client_Hello attempt: msg#00091security.ids.snort.sigs
On Wed, Oct 13, 2004 at 06:28:20PM +0400, Vladimir Stavrinov wrote: > The site content, I am maintaining, is accessible through the ssl > only. But snort identify about 20% requests as "WEB-MISC SSLv3 > invalid Client_Hello attempt" (GEN:SID 1:2522). These false alerts > are produced by 70% different world wide clients (different IP). > This type of alerts are 95% of total alerts, produced by snort on > this system. I don't know what cause this. I think there are > something wrong with this signature. Can you send pcap of one of the alerts going off? There are still a few quirks of SSL that I havn't nailed down in the rules yet. thanks, Brian ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: Signature false positive update #2590: 00091, Brian |
|---|---|
| Next by Date: | Re: ZSH Exploit False Positive: 00091, Brian |
| Previous by Thread: | WEB-MISC SSLv3 invalid Client_Hello attempti: 00091, Vladimir Stavrinov |
| Next by Thread: | Re: WEB-MISC SSLv3 invalid Client_Hello attempt: 00091, Vladimir Stavrinov |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
| News | FAQ | advertise |