[Snort-sigs] 2522 WEB-MISC SSLv3 invalid Client_Hello attempt FP's

Steven Lundberg slundberg at ...2478...
Tue May 11 06:36:03 EDT 2004


I am also having this problem.  I have several thousand of these alerts
every morning, all from our regular customers.  They aren't performing any
sort of attack that I can tell.


-----Original Message-----
From: snort-sigs-admin at lists.sourceforge.net
[mailto:snort-sigs-admin at lists.sourceforge.net] On Behalf Of Miner, Jonathan
W (CSC) (US SSA)
Sent: Monday, May 10, 2004 3:01 PM
To: Matthew Jonkman; snort-sigs at lists.sourceforge.net
Subject: RE: [Snort-sigs] 2522 WEB-MISC SSLv3 invalid Client_Hello attempt
FP's


Me too. *I think*

Many of the requests have come from legitimate business partners, and it
does not appear that they're doing anything malicious.  I'm running iPlanet
servers with Solaris.


-----Original Message-----
From:	snort-sigs-admin at lists.sourceforge.net on behalf of Matthew Jonkman
Sent:	Thu 05/06/2004 05:54 PM
To:	snort-sigs at lists.sourceforge.net
Cc:	
Subject:	[Snort-sigs] 2522 WEB-MISC SSLv3 invalid Client_Hello
attempt   FP's
I'm getting a false positive on every single ssl request to and from 
clients and servers. IIS, apache, the whole deal. And none are attacks.

Anyone else seeing this? I don't have a dump of a real attack to use to 
try to pick this apart.

Matt





More information about the Snort-sigs mailing list