[Snort-sigs] huge number of false positives for WEB-MISC SSLv3 invalid Client_Hello attempt?

Matthew Watchinski mwatchinski at ...435...
Mon Jul 26 13:33:00 EDT 2004


sid:2522 rev:7 is the current version.  Try that and see fixes the FP's 
problem.

Cheers,
-matt


Matt Ostiguy wrote:

>rev 5. Looks like my rule set is from the 22nd. 
>
>I just grabbed the rules, and it looks like that rule is gone - is it
>rolled into WEB-MISC SSLv3 invalid data version attempt, which is rev
>7?
>
>I held off updating for a few days with the asn1 hijinx 
>
>On Mon, 26 Jul 2004 15:49:26 -0400, Matthew Watchinski
><mwatchinski at ...435...> wrote:
>  
>
>>What sid and rev are you using?
>>
>>Thanks
>>-matt
>>
>>
>>
>>Matt Ostiguy wrote:
>>
>>    
>>
>>>Am I the only one getting an unholy number of FPs on this rule? I
>>>believe there is some correlation with the keepalives/new mail polls
>>>that I.E 6 will send to an exchange 2000 outlook web access server, as
>>>I am seeing tons of FPs from *my* home network to my OWA 2k server
>>>every 2 minutes, along with tons of similar FPs from what are
>>>obviously OWA users
>>>
>>>Matt
>>>
>>>
>>>-------------------------------------------------------
>>>This SF.Net email is sponsored by BEA Weblogic Workshop
>>>FREE Java Enterprise J2EE developer tools!
>>>Get your free copy of BEA WebLogic Workshop 8.1 today.
>>>http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
>>>_______________________________________________
>>>Snort-sigs mailing list
>>>Snort-sigs at lists.sourceforge.net
>>>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>>
>>>
>>>
>>>      
>>>
>>-------------------------------------------------------
>>This SF.Net email is sponsored by BEA Weblogic Workshop
>>FREE Java Enterprise J2EE developer tools!
>>Get your free copy of BEA WebLogic Workshop 8.1 today.
>>http://ads.osdn.com/?ad_id=4721&alloc_id=10040&op=click
>>_______________________________________________
>>Snort-sigs mailing list
>>Snort-sigs at lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/snort-sigs
>>
>>    
>>
>
>  
>





More information about the Snort-sigs mailing list