Re: 1:11672, 3:11672 BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt

[Y M via Snort-sigs <snort-sigs () lists snort org>]

The only rule I have is 3:11672, I don't see 1:11672. Looking at the direction of the rule, I assume it is the response 
of the server that maybe triggering the rules. Do the responding servers have anything in common such as IP addresses, 
SSL configurations/certificate? You might want to look closer at the traffic and the payload triggering the rule.

Hope this helps.
YM

________________________________
From: Snort-sigs <snort-sigs-bounces () lists snort org> on behalf of Steve Thames via Snort-sigs <snort-sigs () lists 
snort org>
Sent: Thursday, June 28, 2018 7:30 PM
To: snort-sigs () lists snort org
Subject: [Snort-sigs] 1:11672, 3:11672 BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt


In my pfSense Snort IDS/IPS, I am seeing an increasing number of these alerts from customer network IPs. These are 
large orgs with, potentially, hundreds of clients NATed to a single public IP.



This a very old threat and I’m reasonably sure the clients are not using a 10-year-old version of Mozilla, Thunderbird, 
SeaMonkey, or Java to access our web servers.



Can someone shed some light on why we would be seeing an increasing number of these alerts?



Thanks.

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!