Snort blocking remote staff when checking email with Outlook
- 
 The first google hit for that entire error message ((ssp_ssl) Invalid Client HELLO after Server HELLO Detected) should give you a pretty big hint ;) When you get a Snort alert it provides you with 3 key numbers. The first is the Generator ID, the second the Rule ID and the third the Revision. When you want to suppress or threshold any given event you do it using the Generator ID and the Rule ID. Knowing those when diagnosing Snort related activity is nearly always far more useful than the message itself. 
- 
 i am having the same problem and it seems the the salutation for suppress gen_id 137, sig_id 1 
 is not working any idea ?
 thanks daniel
- 
 Did you remember to restart snort after you added that configuration line? 
- 
 yes i did restart the service and the FW no change 
- 
 Please post the all of the Snort messages (complete) for the point in time you try to connect to Exchange. 
- 
 I have added the suppress line and it did not seem to work for me also. 
 It seems this started after the last snort upgrade. (if i had to put a time frame on it..guessing) currently on the latest snort build on PF 2 release.removed ip from block list, restarted Snort. Log cleared and watched for the entry. (it does not seem like it happens right a way) 
 IP's removedsnort[24758]: [137:1:1] (ssp_ssl) Invalid Client HELLO after Server HELLO Detected [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} x.x.x.x:62848 -> x.x.x.x:443 PF Log: 
 Sep 19 14:30:51 snort[13668]: [137:1:1] (ssp_ssl) Invalid Client HELLO after Server HELLO Detected [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} x.x.x.x:42583 -> x.x.x.x:443
 Sep 19 14:30:51 snort[13668]: [137:1:1] (ssp_ssl) Invalid Client HELLO after Server HELLO Detected [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} x.x.x.x:42583 -> x.x.x.x:443Snort Alert: 
 TCP (ssp_ssl) Invalid Client HELLO after Server HELLO Detected Potentially Bad Traffic x.x.x.x 42583 -> x.x.x.x 443 137:1:1 09/19-14:30:51
- 
 i m having the exact same log and it seems like it happens after a the second or third attempt 
 of the client OWA and OMA
 (ssp_ssl) Invalid Client HELLO after Server HELLO Detectedthanks daniel 
- 
 Is this still an issue for both of you? Have not been able to get it working on my box. thx 
- 
 yes it still is i dunt have to macth time to play with it i will try on the weekand 
 thanks
- 
 OK I am lost can't figure this out need sum help ? 
- 
 Start by unticking "Block offenders" in the interface settings. That will give you time to get to the bottom of why you're having problems disabling that rule. Also, can you post a screenshot of the Advanced configuration pass through section please. 
- 
 i rebooted my fw this morning and did not have a problem till about an hour ago 
 nothing in my adv config section.
- 
 Then Snort isn't doing any blocking, something else is your problem. 
- 
 @Cry: Then Snort isn't doing any blocking, something else is your problem. Then what should be in there? I do not recall anything in the adv config box and Snort appears to be working fine besides this. The name applies "advance" to be passed to the snort config for additional options not available in the gui. (I know in the squid package, the custom options box shows configs, but never seen this in snort.) If Snort is not blocking/working then why is it "blocking" the data stream from the phones and producing the problem by blocking the ip's? Turning off snort or not block offenders allows the devices to work fine. 
 It is also scanning other traffic and blocking offenders when needed.This was only an issues after one of the last updates. 
 Thanks for our help.
- 
 Then how have you told it to suppress the rule? Where did you enter suppress gen_id 137, sig_id 1? 
- 
 Under the "suppress" Tab I also just tried under adv config. Still not working. 
- 
 What version of pfSense and the Snort package are you running? 
- 
 PF 2.0 release 
 Snort 2.9.0.5 pkg v. 2.0
- 
 Checking what is added to the snort config, it looks like the suppress tab doesn't work. Only items added to the Advanced tab are added to the config file from what I can see. 
- 
 Thanks for the reply and testing Cry Havok OP and other users that posted to the thread. 
 Can you post your versions of Snort and PF?
 Also note where you have the suppress line added.If this is a bug, it will help with trouble shooting. 
