[Snort-users] ssp_ssl: Invalid Client HELLO after Server HELLO Detected

Al Lewis (allewi) allewi at ...589...
Sat May 16 03:02:34 EDT 2015


You can alter the settings in the ssl preprocessor to ignore or trust hosts. 

See the readme for more details or check the manual here: http://manual.snort.org/node148.html



Usage
=====

SSLPP supports the following options:

  ports                -   Space separated list of ports, enclosed in braces

  noinspect_encrypted  -   Disables inspection of encrypted traffic
                            (default off)

  trustservers         -   Disables the requirement that both sides of
                            Application data must be observed (default off)
                            This requires noinspect_encrypted to be useful.

  max_heartbeat_length -   Maximum length of heartbeat record allowed.  This
                           config option is used to detect the heartbleed attacks.
                           The allowed range is 0 to 65535. Setting the value to
                           0 turns off the heartbeat length checks. For
                           heartbeat requests, if the payload size of the request
                           record is greater than the max_heartbeat_length
                           an alert with sid 3 and gid 137 is generated.
                           For heartbeat responses, if the record size itself
                           is greater than the max_heartbeat_length an alert
                           with sid 4 and gid 137 is generated. Default is off.


Thanks!

Albert Lewis
QA Software Engineer
SOURCEfire, Inc. now part of Cisco
9780 Patuxent Woods Drive
Columbia, MD 21046 
Phone: (office) 443.430.7112
Email: allewi at ...589... 

-----Original Message-----
From: Maurizio [mailto:madeve1 at ...11827...] 
Sent: Thursday, May 14, 2015 4:13 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] ssp_ssl: Invalid Client HELLO after Server HELLO Detected

Hi,
I've a lot of matches with the signature in subject. In particular it involves mcafee clients vs mcafee policy orchestrator. Analyzing the packet captures (in attachment) related to a client server communication  I noticed that there is always a tcp retransmission and an anomalous handshake.
Can someone suggest me further methods to troubleshoot this problem on the network?
Is there a way to "turn off" the signature for specific hosts on specific ports?

Thank you




More information about the Snort-users mailing list