[Snort-sigs] Rule 8428 triggered by IIS HTTPS connection

Evgeniy Sudyr Evgeniy.Sudyr at ...3376...
Wed Apr 29 02:48:39 EDT 2009

Hi all, 

I think that have false triggered alert in web-misc.rules # 8428 for HTTPS on IIS 6. In details I'm using IIS 6 RPC proxy over HTTPS for Exchange 2007 server connection.

I commented this rule, but I think that snort experts must pay attention and correct this rule, to prevent false alerts.

alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"WEB-MISC SSLv2 openssl get shared ciphers overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03|"; depth:2; offset:2; byte_test:2, >, 256, 1, relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service http; reference:bugtraq,20249; reference:cve,2006-3738; reference:cve,2007-5135; reference:url,www.openssl.org/news/secadv_20060928.txt; classtype:attempted-admin; sid:8428; rev:8;)

Let me know if I need send more info which can help solve this issue.

Evgeniy Sudyr

More information about the Snort-sigs mailing list