[Snort-users] ssp_ssl: Invalid Client HELLO after Server HELLO Detected
Al Lewis (allewi)
allewi at ...589...
Sat May 16 03:02:34 EDT 2015
You can alter the settings in the ssl preprocessor to ignore or trust hosts.
See the readme for more details or check the manual here: http://manual.snort.org/node148.html
SSLPP supports the following options:
ports - Space separated list of ports, enclosed in braces
noinspect_encrypted - Disables inspection of encrypted traffic
trustservers - Disables the requirement that both sides of
Application data must be observed (default off)
This requires noinspect_encrypted to be useful.
max_heartbeat_length - Maximum length of heartbeat record allowed. This
config option is used to detect the heartbleed attacks.
The allowed range is 0 to 65535. Setting the value to
0 turns off the heartbeat length checks. For
heartbeat requests, if the payload size of the request
record is greater than the max_heartbeat_length
an alert with sid 3 and gid 137 is generated.
For heartbeat responses, if the record size itself
is greater than the max_heartbeat_length an alert
with sid 4 and gid 137 is generated. Default is off.
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046
Phone: (office) 443.430.7112
Email: allewi at ...589...
From: Maurizio [mailto:madeve1 at ...11827...]
Sent: Thursday, May 14, 2015 4:13 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] ssp_ssl: Invalid Client HELLO after Server HELLO Detected
I've a lot of matches with the signature in subject. In particular it involves mcafee clients vs mcafee policy orchestrator. Analyzing the packet captures (in attachment) related to a client server communication I noticed that there is always a tcp retransmission and an anomalous handshake.
Can someone suggest me further methods to troubleshoot this problem on the network?
Is there a way to "turn off" the signature for specific hosts on specific ports?
More information about the Snort-users