[Snort-users] Questions about a couple alerts

Gibson, Samuel gibsons at ...15616...
Fri Jun 8 12:44:07 EDT 2012


I keep getting the following alerts:

ssp_ssl: Invalid Client HELLO after Server HELLO Detected and smtp: Attempted data header buffer overflow.

I have a few questions about how to handle them.

When I look at the captures from the ssp_ssl alert,  I see a second Client Hello is sent in a TCP Retransmission.  I am wondering if this it the desired behavior of Snort, to alert on this condition, and I should just configure threshold.conf to suppress it.

The smtp buffer overflow alert is interesting in that the data in the packet listed in Sguil seems to be part of the body of the email.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120608/346f8265/attachment.html>

More information about the Snort-users mailing list