Home page logo
/

snort logo Snort mailing list archives

Re: ssp_ssl: Invalid Client HELLO after Server HELLO Detected
From: Ryan Jordan <ryan.jordan () sourcefire com>
Date: Wed, 4 May 2011 18:13:26 -0400

Hi Shawn,

Those alerts are supposed to fire when an SSL Client Hello is seen in
a session, but the SSL preprocessor already saw both a Client Hello
and a Server Hello. The alerts were added to the preprocessor as part
of Snort 2.9.0.

This is the second time in the past week or two that I've heard of
false positives on the SSL preprocessor alerts, but that code hasn't
changed since Snort 2.9.0. Would it be possible for you to capture a
pcap with a session that triggers the alert? I'm curious to see what's
going on.

Thanks,
Ryan

On Wed, May 4, 2011 at 1:41 PM, Jefferson, Shawn
<Shawn.Jefferson () bcferries com> wrote:
I’ve been seeing a lot of these in the past week or so.  Nothing on my
sensors have changed, but there may have been changes in my network that
caused this new behaviour.  Any ideas on where to look, and what exactly
this is telling me?  Many different sources and many different
destinations.  I’m currently running snort v2.9.0.4.

Here’s my SSL config:

preprocessor ssl: ports { 443 465 563 636 989 992 993 994 995 7801 7702 7900
7901 7902 7903 7904 7905 7906 6907 7908 7909 7910 7911 7912 7913 7914 7915
7916 7917 7918 7919 7920 }, trustservers, noinspect_encrypted

--
Shawn Jefferson, Team Lead Security and Server Services, GCIH, GCFA
British Columbia Ferry Services Inc.
Tel: (250) 978-1508
Fax: (250) 405-3533
Shawn.Jefferson () bcferries com | www.bcferries.com



------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today.  Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault