[Snort-sigs] 1:11672, 3:11672 BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt

Steve Thames sthames42 at gmail.com
Fri Jun 29 11:53:52 EDT 2018

Re-looking at the rule, it seems that it is triggering when external IP
addresses destined to the protected network ($HOME_NET) on port 443 when the
flowbit sslv2.client_master_key.request is not set, while setting at the
same time.  Since the rule is compiled, it is difficult to determine the
content matches. The traffic generating this could be anything from a
scanner, scripts, automated tools, outdated client requests, etc.
Determining the ultimate risk of this rule will be almost impossible to
anyone except yourself.


This was my conclusion, as well. References seem to indicate the only risk
to my servers would be if they are using a very old version of NSS which
they are not. For safety, I have disabled all SSLv2 support and the alert.


Thanks for your help.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20180629/09d7045a/attachment.html>

More information about the Snort-sigs mailing list