[Snort-devel] Gmail https access fires "WEB-MISC SSLv2 openssl get shared ciphers overflow attempt" rule

Miguel Rubio-Roy mrubioroy at ...2499...
Fri Apr 2 06:43:28 EDT 2010


Hi all,
  This looks to me like a false positive. Whenever I start an https
session with Google or Gmail (not other https web sites, afaik) I get
one or more "WEB-MISC SSLv2 openssl get shared ciphers overflow
attempt" alerts.

This is a sample of the alerts I get when simply accessing Gmail or
signing in on Google.

#0-(1-3041)    WEB-MISC SSLv2 openssl get shared ciphers overflow
attempt 2010-04-02 09:48:15    192.168.0.10:51378    209.85.229.97:443
   TCP
#1-(1-3040)    WEB-MISC SSLv2 openssl get shared ciphers overflow
attempt 2010-04-02 09:48:13    192.168.0.10:51371    68.177.102.20:443
   TCP
#2-(1-3039)    WEB-MISC SSLv2 openssl get shared ciphers overflow
attempt 2010-04-02 09:45:33    192.168.0.10:51327
209.85.227.104:443    TCP
#3-(1-3038)    WEB-MISC SSLv2 openssl get shared ciphers overflow
attempt 2010-04-02 09:42:57    192.168.0.10:51276
209.85.227.104:443    TCP
#4-(1-3037)    WEB-MISC SSLv2 openssl get shared ciphers overflow
attempt 2010-04-02 09:42:54    192.168.0.10:51268    209.85.227.18:443
   TCP

Sometimes I've also got these:

#31-(1-3010)    WEB-MISC SSLv3 invalid data version attempt
2010-04-02 09:37:21 192.168.0.10:51160    209.85.227.106:443    TCP

I'm using snort 2.8.5.3 (Build 124) and snortrules-snapshot-CURRENT of
March the 30th.

Miguel




More information about the Snort-devel mailing list