Snort mailing list archives
Re: 1:11672, 3:11672 BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt
From: Steve Thames via Snort-sigs <snort-sigs () lists snort org>
Date: Fri, 29 Jun 2018 08:53:52 -0700
Re-looking at the rule, it seems that it is triggering when external IP addresses destined to the protected network ($HOME_NET) on port 443 when the flowbit sslv2.client_master_key.request is not set, while setting at the same time. Since the rule is compiled, it is difficult to determine the content matches. The traffic generating this could be anything from a scanner, scripts, automated tools, outdated client requests, etc. Determining the ultimate risk of this rule will be almost impossible to anyone except yourself. This was my conclusion, as well. References seem to indicate the only risk to my servers would be if they are using a very old version of NSS which they are not. For safety, I have disabled all SSLv2 support and the alert. Thanks for your help.
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists snort org https://lists.snort.org/mailman/listinfo/snort-sigs Please visit http://blog.snort.org for the latest news about Snort! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette Visit the Snort.org to subscribe to the official Snort ruleset, make sure to stay up to date to catch the most <a href=" https://snort.org/downloads/#rule-downloads">emerging threats</a>!
Current thread:
- 1:11672, 3:11672 BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt Steve Thames via Snort-sigs (Jun 28)
- Re: 1:11672, 3:11672 BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt Y M via Snort-sigs (Jun 28)
- Re: 1:11672, 3:11672 BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt wkitty42--- via Snort-sigs (Jun 28)
- Re: 1:11672, 3:11672 BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt Steve Thames via Snort-sigs (Jun 28)
- Re: 1:11672, 3:11672 BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt Y M via Snort-sigs (Jun 29)
- Re: 1:11672, 3:11672 BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt Steve Thames via Snort-sigs (Jun 29)
- Re: 1:11672, 3:11672 BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt Y M via Snort-sigs (Jun 28)
- <Possible follow-ups>
- 1:11672, 3:11672 BROWSER-OTHER Mozilla Network Security Services SSLv2 stack overflow attempt Steve Thames via Snort-sigs (Jun 29)