Gmail https access fires "WEB-MISC SSLv2 openssl get shared ciphers overflow attempt" rule

[Miguel Rubio-Roy <mrubioroy () gmail com>]

Hi all,
  This looks to me like a false positive. Whenever I start an https
session with Google or Gmail (not other https web sites, afaik) I get
one or more "WEB-MISC SSLv2 openssl get shared ciphers overflow
attempt" alerts.

This is a sample of the alerts I get when simply accessing Gmail or
signing in on Google.

#0-(1-3041)    WEB-MISC SSLv2 openssl get shared ciphers overflow
attempt 2010-04-02 09:48:15    192.168.0.10:51378    209.85.229.97:443
   TCP
#1-(1-3040)    WEB-MISC SSLv2 openssl get shared ciphers overflow
attempt 2010-04-02 09:48:13    192.168.0.10:51371    68.177.102.20:443
   TCP
#2-(1-3039)    WEB-MISC SSLv2 openssl get shared ciphers overflow
attempt 2010-04-02 09:45:33    192.168.0.10:51327
209.85.227.104:443    TCP
#3-(1-3038)    WEB-MISC SSLv2 openssl get shared ciphers overflow
attempt 2010-04-02 09:42:57    192.168.0.10:51276
209.85.227.104:443    TCP
#4-(1-3037)    WEB-MISC SSLv2 openssl get shared ciphers overflow
attempt 2010-04-02 09:42:54    192.168.0.10:51268    209.85.227.18:443
   TCP

Sometimes I've also got these:

#31-(1-3010)    WEB-MISC SSLv3 invalid data version attempt
2010-04-02 09:37:21 192.168.0.10:51160    209.85.227.106:443    TCP

I'm using snort 2.8.5.3 (Build 124) and snortrules-snapshot-CURRENT of
March the 30th.

Miguel

------------------------------------------------------------------------------
Download Intel® Parallel Studio Eval
Try the new software tools for yourself. Speed compiling, find bugs
proactively, and fine-tune applications for parallel performance.
See why Intel Parallel Studio got high marks during beta.
http://p.sf.net/sfu/intel-sw-dev
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel