[Snort-sigs] Confused by 'IMAP SSLv3 Server_Hello request'?

Sun snortmaillist at ...2420...
Wed Jan 2 07:40:03 EST 2008

Hello Brian,

    In fact,  I  donot  have any real alert data. I just read the alert 
signature and found some confusion.

    Thank you for your reply and happy new year.


Brian Caswell 写道:
> On Dec 31, 2007, at 2007/12/31 3:45 AM, Sun wrote:
>>   I'm confused by the signature and description about the alert:  
>> 'IMAP SSLv3 Server_Hello request'. The rule of this alert is as follows:
>> alert tcp $HOME_NET 993 -> $EXTERNAL_NET any (msg:"IMAP SSLv3 
>> Server_Hello request"; flow:to_client,established; 
>> flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|"; 
>> depth:3; content:"|02|"; depth:1; offset:5; 
>> flowbits:set,sslv3.server_hello.request; flowbits:noalert; 
>> metadata:service imap; classtype:protocol-command-decode; sid:2530; 
>> rev:8;)
>> I learn following things from this rule:
>> 1) the srcipaddress of this alert is a sslv3 server;
>> 2) the server are sending a message to a client in the external net;
>> 3) from the flow: to_client, I guess that the alert is an attack to 
>> the client, rather than a response to an attack from the client;
>> However, the description of this alert says that the alert may 
>> indicate that a DoS attack to the sslv3 server. So I'm confused by 
>> these situations.
> Because of the "flowbits:noalert", you should never see an alert with 
> this rule.  This rule is used for tracking SSL connection state for 
> other meaningful rules and has no useful meaning by itself.
> Are you sure this rule is generating an alert?
> Brian

More information about the Snort-sigs mailing list