[Snort-users] Determination of ssl_state

Shin Mura kmym0401 at ...11827...
Fri Apr 17 02:25:59 EDT 2015


Hi,

I have something to clarify about determination is "ssl_state".

"ssl_state:client_hello” is specified in [1:33801] signature. However, upon
confirming the unified file of the actual detected log converted to pcap
using Wireshark, the “Handshake Protocol” is not “Client Hello” but
“Encrypted Handshake Message”.It seems that "ssl_state" cannot be properly
determined.

Actual configuration:
preprocessor ssl: ports { 443 }, trustservers, noinspect_encrypted

It would be really great if someone can provide some inputs on these issues.

Thanks and regards,

Shin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150416/59ef13ae/attachment.html>


More information about the Snort-users mailing list