[Snort-sigs] 1:11672, 3:11672 BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt
sthames42 at gmail.com
Thu Jun 28 18:21:27 EDT 2018
The only rule I have is 3:11672, I don't see 1:11672.
Agreed. Apparently the old rule 1:11672 is not included any longer.
Looking at the direction of the rule, I assume it is the response of the
server that maybe triggering the rules. Do the responding servers have
anything in common such as IP addresses, SSL configurations/certificate? You
might want to look closer at the traffic and the payload triggering the
Here is the rule signature:
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"BROWSER-OTHER Mozilla
Network Security Services SSLv2 stack overflow attempt"; sid:11672; gid:3;
482; metadata: engine shared, soid 3|11672, service ssl, policy
Perhaps I don't understand snort rules but I thought this was describing
traffic coming from the Internet to my servers.
Are you suggesting this alert will be triggered by a response from $HOME_NET
AFAICT, this is the only part of the rule that matters and it appears to be
saying "trigger this alert if the request is trying to set
'sslv2.client_master_key.request' and it is not already set."
I'm guessing this alert is being triggered by a bot that is simply
attempting to gain admin access by exploiting the NSS vulnerability
Can someone describe how a request could trigger this rule and if there is
any danger to modern Apache or IIS servers?
From: Snort-sigs <snort-sigs-bounces at lists.snort.org> on behalf of Steve
Thames via Snort-sigs <snort-sigs at lists.snort.org>
Sent: Thursday, June 28, 2018 7:30 PM
To: snort-sigs at lists.snort.org
Subject: [Snort-sigs] 1:11672, 3:11672 BROWSER-OTHER Mozilla Network
Security Services SSLv2 stack overflow attempt
In my pfSense Snort IDS/IPS, I am seeing an increasing number of these
alerts from customer network IPs. These are large orgs with, potentially,
hundreds of clients NATed to a single public IP.
This a very old threat and I'm reasonably sure the clients are not using a
10-year-old version of Mozilla, Thunderbird, SeaMonkey, or Java to access
our web servers.
Can someone shed some light on why we would be seeing an increasing number
of these alerts?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs