[Snort-sigs] False positive

Tim Boyer tim at ...2982...
Wed Feb 2 08:31:35 EST 2005


First one of these I've ever submitted - bear with me; please feel free to
email if you have any questions. Thanks much for Snort and Oinkmaster!

Tim Boyer
tim at ...2982...

# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others.  References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#

Rule:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3
invalid Client_Hello attempt"; flow:to_server,established;
flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2;
content:"|01|"; depth:1; offset:5; reference:cve,2004-0120;
reference:nessus,12204;
reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx;
classtype:attempted-dos; sid:2522; rev:10;)

--
Sid:

2522

--
Summary:

This event is generated when an attempt is made to exploit a known
vulnerability in the Microsoft implementation of SSL Version 3.

--
Impact:

--
Detailed Information:

--
Affected Systems:

--
Attack Scenarios:

--
Ease of Attack:

--
False Positives:

I'm seeing this in our logs:

Feb  1 16:03:02 gage.denmantire.com snort: [1:2522:10] WEB-MISC SSLv3
invalid Client_Hello attempt [Classification: Attempted Denial of Service]
[Priority: 2]:{TCP} 68.228.2.20:1470 -> 192.168.1.89:443
Feb  1 16:03:02 gage.denmantire.com snort: [1:2522:10] WEB-MISC SSLv3
invalid Client_Hello attempt [Classification: Attempted Denial of Service]
[Priority: 2]:{TCP} 68.228.2.20:1471 -> 192.168.1.89:443

The error message says it's a Microsoft SSL exploit.  The server is
Apache/2.0.46 on a Red Hat Enterprise 3 system.  I know the client involved;
they're doing nothing more than trying to do a logon to a secure page.  They
have a nasty habit of misspelling their password, but it's not quite a DoS.

--
False Negatives:

--
Corrective Action:

--
Contributors:

--
Additional References:





More information about the Snort-sigs mailing list