Snort lists the traffic as an invalid client hello. The Syslog messages are
below. (I have removed the source IP address)
<33>snort[3060]: [1:2522:10] WEB-MISC SSLv3 invalid Client_Hello attempt
[Classification: Attempted Denial of Service] [Priority: 2]: {TCP}
xx.xx.xx.xx:3303 -> 216.239.53.19:443
<33>snort[3060]: [1:2522:10] WEB-MISC SSLv3 invalid Client_Hello attempt
[Classification: Attempted Denial of Service] [Priority: 2]: {TCP}
xx.xx.xx.xx:3303 -> 216.239.53.19:443
Jamy Klein
MS Information Assurance
CISSP, GCFW, GCIH, GSEC, MCP, RHCT
Security Specialist
Network Security Team - Enterprise Information Systems
Cedars-Sinai Medical Center
Phone: (310)423-2921
E-mail: jamy.klein@cshs.org
_____
From: Michael Scheidell [mailto:scheidell@secnap.net]
Sent: Tuesday, December 26, 2006 6:39 PM
To: Klein, Jamy; snort-sigs@lists.sourceforge.net
Subject: RE: [Snort-sigs] False positive rule 2544
Why?
-----Original Message-----
From: snort-sigs-bounces@lists.sourceforge.net
[mailto:snort-sigs-bounces@lists.sourceforge.net] On Behalf Of Klein, Jamy
Sent: Tuesday, December 26, 2006 10:54 AM
To: snort-sigs@lists.sourceforge.net
Subject: [Snort-sigs] False positive rule 2544
# This is a template for submitting snort signature descriptions to
# the snort.org website
#
# Ensure that your descriptions are your own
# and not the work of others. References in the rules themselves
# should be used for linking to other's work.
#
# If you are unsure of some part of a rule, use that as a commentary
# and someone else perhaps will be able to fix it.
#
# $Id$
#
#
Rule:
--
Sid: 1:2544
--
Summary:
Google Talk appears to cause a false positive for this rule.
--
Impact: False Positive
--
Detailed Information:
See the rule details for 2544
--
Affected Systems:
--
Attack Scenarios:
--
Ease of Attack:
--
False Positives:
--
False Negatives:
--
Corrective Action:
--
Contributors:
--
Additional References:
Jamy Klein
MS Information Assurance
CISSP, GCFW, GCIH, GSEC, MCP, RHCT
Security Specialist
Network Security Team - Enterprise Information Systems
Cedars-Sinai Medical Center
Phone: (310)423-2921
E-mail: jamy.klein@cshs.org
IMPORTANT WARNING: This message is intended for the use of the person or
entity to which it is addressed and may contain information that is
privileged and confidential, the disclosure of which is governed by
applicable law. If the reader of this message is not the intended recipient,
or the employee or agent responsible for delivering it to the intended
recipient, you are hereby notified that any dissemination, distribution or
copying of this information is STRICTLY PROHIBITED.
If you have received this message in error, please notify us immediately by
calling (310) 423-6428 and destroy the related message. Thank You for your
cooperation.
IMPORTANT WARNING: This message is intended for the use of the person or
entity to which it is addressed and may contain information that is
privileged and confidential, the disclosure of which is governed by
applicable law. If the reader of this message is not the intended
recipient, or the employee or agent responsible for delivering it to the
intended recipient, you are hereby notified that any dissemination,
distribution or copying of this information is STRICTLY PROHIBITED.
If you have received this message in error, please notify us immediately
by calling (310) 423-6428 and destroy the related message. Thank You for
your cooperation.
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys - and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
