Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Determination of ssl_state

From: Shin Mura <kmym0401 () gmail com>
Date: Thu, 16 Apr 2015 23:25:59 -0700
Hi,

I have something to clarify about determination is "ssl_state".

"ssl_state:client_hello” is specified in [1:33801] signature. However, upon
confirming the unified file of the actual detected log converted to pcap
using Wireshark, the “Handshake Protocol” is not “Client Hello” but
“Encrypted Handshake Message”.It seems that "ssl_state" cannot be properly
determined.

Actual configuration:
preprocessor ssl: ports { 443 }, trustservers, noinspect_encrypted

It would be really great if someone can provide some inputs on these issues.

Thanks and regards,

Shin

------------------------------------------------------------------------------
BPM Camp - Free Virtual Workshop May 6th at 10am PDT/1PM EDT
Develop your own process in accordance with the BPMN 2 standard
Learn Process modeling best practices with Bonita BPM through live exercises
http://www.bonitasoft.com/be-part-of-it/events/bpm-camp-virtual- event?utm_
source=Sourceforge_BPM_Camp_5_6_15&utm_medium=email&utm_campaign=VA_SF
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: