[Snort-sigs] 1:11672, 3:11672 BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt

Y M snort at outlook.com
Thu Jun 28 15:01:39 EDT 2018


The only rule I have is 3:11672, I don't see 1:11672. Looking at the direction of the rule, I assume it is the response of the server that maybe triggering the rules. Do the responding servers have anything in common such as IP addresses, SSL configurations/certificate? You might want to look closer at the traffic and the payload triggering the rule.

Hope this helps.
YM

________________________________
From: Snort-sigs <snort-sigs-bounces at lists.snort.org> on behalf of Steve Thames via Snort-sigs <snort-sigs at lists.snort.org>
Sent: Thursday, June 28, 2018 7:30 PM
To: snort-sigs at lists.snort.org
Subject: [Snort-sigs] 1:11672, 3:11672 BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt


In my pfSense Snort IDS/IPS, I am seeing an increasing number of these alerts from customer network IPs. These are large orgs with, potentially, hundreds of clients NATed to a single public IP.



This a very old threat and I’m reasonably sure the clients are not using a 10-year-old version of Mozilla, Thunderbird, SeaMonkey, or Java to access our web servers.



Can someone shed some light on why we would be seeing an increasing number of these alerts?



Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180628/1dc6a267/attachment.html>


More information about the Snort-sigs mailing list