[Snort-sigs] 1:11672, 3:11672 BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt
snort at outlook.com
Thu Jun 28 15:01:39 EDT 2018
The only rule I have is 3:11672, I don't see 1:11672. Looking at the direction of the rule, I assume it is the response of the server that maybe triggering the rules. Do the responding servers have anything in common such as IP addresses, SSL configurations/certificate? You might want to look closer at the traffic and the payload triggering the rule.
Hope this helps.
From: Snort-sigs <snort-sigs-bounces at lists.snort.org> on behalf of Steve Thames via Snort-sigs <snort-sigs at lists.snort.org>
Sent: Thursday, June 28, 2018 7:30 PM
To: snort-sigs at lists.snort.org
Subject: [Snort-sigs] 1:11672, 3:11672 BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt
In my pfSense Snort IDS/IPS, I am seeing an increasing number of these alerts from customer network IPs. These are large orgs with, potentially, hundreds of clients NATed to a single public IP.
This a very old threat and I’m reasonably sure the clients are not using a 10-year-old version of Mozilla, Thunderbird, SeaMonkey, or Java to access our web servers.
Can someone shed some light on why we would be seeing an increasing number of these alerts?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs