[Snort-sigs] huge number of false positives for WEB-MISC SSLv3 invalid Client_Hello attempt?

Matt Ostiguy ostiguy at ...2420...
Mon Jul 26 13:18:04 EDT 2004


rev 5. Looks like my rule set is from the 22nd. 

I just grabbed the rules, and it looks like that rule is gone - is it
rolled into WEB-MISC SSLv3 invalid data version attempt, which is rev
7?

I held off updating for a few days with the asn1 hijinx 

On Mon, 26 Jul 2004 15:49:26 -0400, Matthew Watchinski
<mwatchinski at ...435...> wrote:
> What sid and rev are you using?
> 
> Thanks
> -matt
> 
> 
> 
> Matt Ostiguy wrote:
> 
> >Am I the only one getting an unholy number of FPs on this rule? I
> >believe there is some correlation with the keepalives/new mail polls
> >that I.E 6 will send to an exchange 2000 outlook web access server, as
> >I am seeing tons of FPs from *my* home network to my OWA 2k server
> >every 2 minutes, along with tons of similar FPs from what are
> >obviously OWA users
> >
> >Matt
> >
> >
> >-------------------------------------------------------
> >This SF.Net email is sponsored by BEA Weblogic Workshop
> >FREE Java Enterprise J2EE developer tools!
> >Get your free copy of BEA WebLogic Workshop 8.1 today.
> >http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> >_______________________________________________
> >Snort-sigs mailing list
> >Snort-sigs at lists.sourceforge.net
> >https://lists.sourceforge.net/lists/listinfo/snort-sigs
> >
> >
> >
> 
> -------------------------------------------------------
> This SF.Net email is sponsored by BEA Weblogic Workshop
> FREE Java Enterprise J2EE developer tools!
> Get your free copy of BEA WebLogic Workshop 8.1 today.
> http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>




More information about the Snort-sigs mailing list