Snort blocking remote staff when checking email with Outlook



  • I am using 2.0 RC3 and just setup a new firewall using the x64 edition. I cannot enable blocking since setting up the new firewall because Snort is going crazy with our remote staff. The one that is mainly causing the problem is this:

    (ssp_ssl) Invalid Client HELLO after Server HELLO Detected

    This seems to occur when they check their email from their laptops. They use Outlook and it connects using RPC over HTTP.

    I think the best approach would be to suppress the alert (if that stops the block too) but have no clue what statement to use in the suppress config.

    I also think RDP connections are causing problems too. The remote staff have access to Windows 2003 server which I forward port 3389 through the firewall for. I believe this is just a rule so I can hunt this one down and disable it. I am just stuck on how to influence the preprocessors.

    Thanks for any info or help someone can offer.



  • use :

    suppress gen_id 137, sig_id 1



  • Thanks, that seems to have done it!

    Btw, I am of a mindset, 'teach a man to fish…'

    How did you figure out how to come up with this? I'd like to understand how you match up the alerts you want to suppress with the proper command needed. This way I don't have to bother you good folks again for something so simple.

    Thanks again!



  • The first google hit for that entire error message ((ssp_ssl) Invalid Client HELLO after Server HELLO Detected) should give you a pretty big hint ;)

    When you get a Snort alert it provides you with 3 key numbers. The first is the Generator ID, the second the Rule ID and the third the Revision. When you want to suppress or threshold any given event you do it using the Generator ID and the Rule ID. Knowing those when diagnosing Snort related activity is nearly always far more useful than the message itself.



  • i am having the same problem and it seems the the salutation for suppress gen_id 137, sig_id 1
    is not working any idea ?
    thanks daniel



  • Did you remember to restart snort after you added that configuration line?



  • yes i did restart the service and the FW no change



  • Please post the all of the Snort messages (complete) for the point in time you try to connect to Exchange.



  • I have added the suppress line and it did not seem to work for me also.
    It seems this started after the last snort upgrade. (if i had to put a time frame on it..guessing) currently on the latest snort build on PF 2 release.

    removed ip from block list, restarted Snort.

    Log cleared and watched for the entry. (it does not seem like it happens right a way)
    IP's removed

    snort[24758]: [137:1:1] (ssp_ssl) Invalid Client HELLO after Server HELLO Detected [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} x.x.x.x:62848 -> x.x.x.x:443

    PF Log:
    Sep 19 14:30:51 snort[13668]: [137:1:1] (ssp_ssl) Invalid Client HELLO after Server HELLO Detected [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} x.x.x.x:42583 -> x.x.x.x:443
    Sep 19 14:30:51 snort[13668]: [137:1:1] (ssp_ssl) Invalid Client HELLO after Server HELLO Detected [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} x.x.x.x:42583 -> x.x.x.x:443

    Snort Alert:
    TCP (ssp_ssl) Invalid Client HELLO after Server HELLO Detected Potentially Bad Traffic x.x.x.x 42583 -> x.x.x.x 443 137:1:1 09/19-14:30:51



  • i m having the exact same log and it seems like it happens after a the second or third attempt
    of the client OWA and OMA
    (ssp_ssl) Invalid Client HELLO after Server HELLO Detected

    thanks daniel



  • Is this still an issue for both of you? Have not been able to get it working on my box.

    thx



  • yes it still is i dunt have to macth time to play with it i will try on the weekand
    thanks



  • OK I am lost can't figure this out need sum help ?



  • Start by unticking "Block offenders" in the interface settings. That will give you time to get to the bottom of why you're having problems disabling that rule.

    Also, can you post a screenshot of the Advanced configuration pass through section please.



  • i rebooted my fw this morning and did not have a problem till about an hour ago
    nothing in my adv config section.



  • Then Snort isn't doing any blocking, something else is your problem.



  • @Cry:

    Then Snort isn't doing any blocking, something else is your problem.

    Then what should be in there? I do not recall anything in the adv config box and Snort appears to be working fine besides this. The name applies "advance" to be passed to the snort config for additional options not available in the gui. (I know in the squid package, the custom options box shows configs, but never seen this in snort.)

    If Snort is not blocking/working then why is it "blocking" the data stream from the phones and producing the problem by blocking the ip's? Turning off snort or not block offenders allows the devices to work fine.
    It is also scanning other traffic and blocking offenders when needed.

    This was only an issues after one of the last updates.
    Thanks for our help.



  • Then how have you told it to suppress the rule? Where did you enter suppress gen_id 137, sig_id 1?



  • Under the "suppress" Tab

    I also just tried under adv config. Still not working.



  • What version of pfSense and the Snort package are you running?



  • PF 2.0 release
    Snort 2.9.0.5 pkg v. 2.0



  • Checking what is added to the snort config, it looks like the suppress tab doesn't work. Only items added to the Advanced tab are added to the config file from what I can see.



  • Thanks for the reply and testing Cry Havok

    OP and other users that posted to the thread.
    Can you post your versions of Snort and PF?
    Also note where you have the suppress line added.

    If this is a bug, it will help with trouble shooting.



  • @Cry:

    Checking what is added to the snort config, it looks like the suppress tab doesn't work. Only items added to the Advanced tab are added to the config file from what I can see.

    Did you also set the suppression rule list you created to the interface (If Settings->Suppression and Filtering)? If the interface is still set to default then it will not suppress any alerts.



  • @swinn:

    Did you also set the suppression rule list you created to the interface (If Settings->Suppression and Filtering)? If the interface is still set to default then it will not suppress any alerts.

    No - didn't know that those extra steps were required.



  • When deleting the line from Adv config, the system enter this in the gui field and reverted my config.
    ²êi­ë,éâw]û²("w
    Yes, that is correct, it was just a bunch of garbage.
    To be sure, i tried different browsers (FF,Chrome)



  • after adding the suppress to the interface snort stop blocking my OMA or OWA
    thanks for the tip
    :)


Locked