[Snort-sigs] ssp_ssl - excessive alerts

Joel Esler jesler at ...435...
Sun Jan 8 15:20:50 EST 2012


Please review README.filters in the doc/ directory of the Tarball. 

--
Joel Esler
Senior Research Engineer, VRT
OpenSource Community Manager
Sourcefire

On Jan 8, 2012, at 2:14 PM, vincent at ...3611... wrote:

> ​Hello all,
> 
> I have been seeing an excessive amount of the following alerts being generated by the SSL preprocessor:
> 
> [137:1:1] ssp_ssl: Invalid Client HELLO after Server HELLO
> 
> I am currently running version 2.9.0.2 of Snort.
> 
> I came across the following post regarding this same issue:
> http://groups.google.com/group/snortusers/browse_thread/thread/ee188618971c6c24
> 
> In this post, Joel Esler states the following, "You can suppress the alert."  However, he provided no information on why this particular alert is generating so much activity nor if there are any detriments to suppressing the alert.  Joel, or anyone else, can you elaborate on this issue?
> 
> Thanks,
> 
> Vincent
> ------------------------------------------------------------------------------
> Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
> infrastructure or vast IT resources to deliver seamless, secure access to
> virtual desktops. With this all-in-one solution, easily deploy virtual 
> desktops for less than the cost of PCs and save 60% on VDI infrastructure 
> costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!




More information about the Snort-sigs mailing list