Snort mailing list archives

Re: ssp_ssl: Invalid Client HELLO after Server HELLO Detected

From: "Al Lewis (allewi)" <allewi () cisco com>
Date: Sat, 16 May 2015 07:02:34 +0000

You can alter the settings in the ssl preprocessor to ignore or trust hosts. 

See the readme for more details or check the manual here: http://manual.snort.org/node148.html



Usage
=====

SSLPP supports the following options:

  ports                -   Space separated list of ports, enclosed in braces

  noinspect_encrypted  -   Disables inspection of encrypted traffic
                            (default off)

  trustservers         -   Disables the requirement that both sides of
                            Application data must be observed (default off)
                            This requires noinspect_encrypted to be useful.

  max_heartbeat_length -   Maximum length of heartbeat record allowed.  This
                           config option is used to detect the heartbleed attacks.
                           The allowed range is 0 to 65535. Setting the value to
                           0 turns off the heartbeat length checks. For
                           heartbeat requests, if the payload size of the request
                           record is greater than the max_heartbeat_length
                           an alert with sid 3 and gid 137 is generated.
                           For heartbeat responses, if the record size itself
                           is greater than the max_heartbeat_length an alert
                           with sid 4 and gid 137 is generated. Default is off.


Thanks!

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi () cisco com 

-----Original Message-----
From: Maurizio [mailto:madeve1 () gmail com] 
Sent: Thursday, May 14, 2015 4:13 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] ssp_ssl: Invalid Client HELLO after Server HELLO Detected

Hi,
I've a lot of matches with the signature in subject. In particular it involves mcafee clients vs mcafee policy 
orchestrator. Analyzing the packet captures (in attachment) related to a client server communication  I noticed that 
there is always a tcp retransmission and an anomalous handshake.
Can someone suggest me further methods to troubleshoot this problem on the network?
Is there a way to "turn off" the signature for specific hosts on specific ports?

Thank you

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud 
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

ssp_ssl: Invalid Client HELLO after Server HELLO Detected Maurizio (May 15)
- Re: ssp_ssl: Invalid Client HELLO after Server HELLO Detected Al Lewis (allewi) (May 16)