[Snort-sigs] Confused by 'IMAP SSLv3 Server_Hello request'?
snortmaillist at ...2420...
Wed Jan 2 07:40:03 EST 2008
In fact, I donot have any real alert data. I just read the alert
signature and found some confusion.
Thank you for your reply and happy new year.
Brian Caswell 写道:
> On Dec 31, 2007, at 2007/12/31 3:45 AM, Sun wrote:
>> I'm confused by the signature and description about the alert:
>> 'IMAP SSLv3 Server_Hello request'. The rule of this alert is as follows:
>> alert tcp $HOME_NET 993 -> $EXTERNAL_NET any (msg:"IMAP SSLv3
>> Server_Hello request"; flow:to_client,established;
>> flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|";
>> depth:3; content:"|02|"; depth:1; offset:5;
>> flowbits:set,sslv3.server_hello.request; flowbits:noalert;
>> metadata:service imap; classtype:protocol-command-decode; sid:2530;
>> I learn following things from this rule:
>> 1) the srcipaddress of this alert is a sslv3 server;
>> 2) the server are sending a message to a client in the external net;
>> 3) from the flow: to_client, I guess that the alert is an attack to
>> the client, rather than a response to an attack from the client;
>> However, the description of this alert says that the alert may
>> indicate that a DoS attack to the sslv3 server. So I'm confused by
>> these situations.
> Because of the "flowbits:noalert", you should never see an alert with
> this rule. This rule is used for tracking SSL connection state for
> other meaningful rules and has no useful meaning by itself.
> Are you sure this rule is generating an alert?
More information about the Snort-sigs