Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 1:11672, 3:11672 BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt

From: Steve Thames via Snort-sigs <snort-sigs () lists snort org>
Date: Fri, 29 Jun 2018 08:53:52 -0700
Re-looking at the rule, it seems that it is triggering when external IP
addresses destined to the protected network ($HOME_NET) on port 443 when the
flowbit sslv2.client_master_key.request is not set, while setting at the
same time.  Since the rule is compiled, it is difficult to determine the
content matches. The traffic generating this could be anything from a
scanner, scripts, automated tools, outdated client requests, etc.
Determining the ultimate risk of this rule will be almost impossible to
anyone except yourself.

 

This was my conclusion, as well. References seem to indicate the only risk
to my servers would be if they are using a very old version of NSS which
they are not. For safety, I have disabled all SSLv2 support and the alert.

 

Thanks for your help.

 


_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists snort org
https://lists.snort.org/mailman/listinfo/snort-sigs

Please visit http://blog.snort.org for the latest news about Snort!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a 
href=" https://snort.org/downloads/#rule-downloads";>emerging threats</a>!
Previous By Date Next
Previous By Thread Next

Current thread: