Snort mailing list archives
Gmail https access fires "WEB-MISC SSLv2 openssl get shared ciphers overflow attempt" rule
From: Miguel Rubio-Roy <mrubioroy () gmail com>
Date: Fri, 2 Apr 2010 12:43:28 +0200
Hi all, This looks to me like a false positive. Whenever I start an https session with Google or Gmail (not other https web sites, afaik) I get one or more "WEB-MISC SSLv2 openssl get shared ciphers overflow attempt" alerts. This is a sample of the alerts I get when simply accessing Gmail or signing in on Google. #0-(1-3041) WEB-MISC SSLv2 openssl get shared ciphers overflow attempt 2010-04-02 09:48:15 192.168.0.10:51378 209.85.229.97:443 TCP #1-(1-3040) WEB-MISC SSLv2 openssl get shared ciphers overflow attempt 2010-04-02 09:48:13 192.168.0.10:51371 68.177.102.20:443 TCP #2-(1-3039) WEB-MISC SSLv2 openssl get shared ciphers overflow attempt 2010-04-02 09:45:33 192.168.0.10:51327 209.85.227.104:443 TCP #3-(1-3038) WEB-MISC SSLv2 openssl get shared ciphers overflow attempt 2010-04-02 09:42:57 192.168.0.10:51276 209.85.227.104:443 TCP #4-(1-3037) WEB-MISC SSLv2 openssl get shared ciphers overflow attempt 2010-04-02 09:42:54 192.168.0.10:51268 209.85.227.18:443 TCP Sometimes I've also got these: #31-(1-3010) WEB-MISC SSLv3 invalid data version attempt 2010-04-02 09:37:21 192.168.0.10:51160 209.85.227.106:443 TCP I'm using snort 2.8.5.3 (Build 124) and snortrules-snapshot-CURRENT of March the 30th. Miguel ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel
Current thread:
- Gmail https access fires "WEB-MISC SSLv2 openssl get shared ciphers overflow attempt" rule Miguel Rubio-Roy (Apr 02)