Questions about a couple alerts

["Gibson, Samuel" <gibsons () my uwstout edu>]

Hello,



I keep getting the following alerts:



ssp_ssl: Invalid Client HELLO after Server HELLO Detected and smtp: Attempted data header buffer overflow.



I have a few questions about how to handle them.



When I look at the captures from the ssp_ssl alert,  I see a second Client Hello is sent in a TCP Retransmission.  I am 
wondering if this it the desired behavior of Snort, to alert on this condition, and I should just configure 
threshold.conf to suppress it.



The smtp buffer overflow alert is interesting in that the data in the packet listed in Sguil seems to be part of the 
body of the email.



Thanks,

Sam

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!