On Dec 31, 2007, at 2007/12/31 3:45 AM, Sun wrote:
I'm confused by the signature and description about the alert:
'IMAP SSLv3 Server_Hello request'. The rule of this alert is as
follows:
alert tcp $HOME_NET 993 -> $EXTERNAL_NET any (msg:"IMAP SSLv3
Server_Hello request"; flow:to_client,established;
flowbits:isset,sslv3.client_hello.request; content:"|16 03 00|";
depth:3; content:"|02|"; depth:1; offset:5;
flowbits:set,sslv3.server_hello.request; flowbits:noalert;
metadata:service imap; classtype:protocol-command-decode; sid:2530;
rev:8;)
I learn following things from this rule:
1) the srcipaddress of this alert is a sslv3 server;
2) the server are sending a message to a client in the external net;
3) from the flow: to_client, I guess that the alert is an attack to
the client, rather than a response to an attack from the client;
However, the description of this alert says that the alert may
indicate that a DoS attack to the sslv3 server. So I'm confused by
these situations.
Because of the "flowbits:noalert", you should never see an alert with
this rule. This rule is used for tracking SSL connection state for
other meaningful rules and has no useful meaning by itself.
Are you sure this rule is generating an alert?
Brian
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
