Snort blocking remote staff when checking email with Outlook

compucoder · Sep 10, 2011, 7:30 AM

I am using 2.0 RC3 and just setup a new firewall using the x64 edition. I cannot enable blocking since setting up the new firewall because Snort is going crazy with our remote staff. The one that is mainly causing the problem is this:

(ssp_ssl) Invalid Client HELLO after Server HELLO Detected

This seems to occur when they check their email from their laptops. They use Outlook and it connects using RPC over HTTP.

I think the best approach would be to suppress the alert (if that stops the block too) but have no clue what statement to use in the suppress config.

I also think RDP connections are causing problems too. The remote staff have access to Windows 2003 server which I forward port 3389 through the firewall for. I believe this is just a rule so I can hunt this one down and disable it. I am just stuck on how to influence the preprocessors.

Thanks for any info or help someone can offer.

Macom2007 · Sep 10, 2011, 10:09 AM

use :

suppress gen_id 137, sig_id 1

compucoder · Sep 10, 2011, 4:36 PM

Thanks, that seems to have done it!

Btw, I am of a mindset, 'teach a man to fish…'

How did you figure out how to come up with this? I'd like to understand how you match up the alerts you want to suppress with the proper command needed. This way I don't have to bother you good folks again for something so simple.

Thanks again!

Cry Havok · Sep 10, 2011, 4:54 PM

The first google hit for that entire error message ((ssp_ssl) Invalid Client HELLO after Server HELLO Detected) should give you a pretty big hint ;)

When you get a Snort alert it provides you with 3 key numbers. The first is the Generator ID, the second the Rule ID and the third the Revision. When you want to suppress or threshold any given event you do it using the Generator ID and the Rule ID. Knowing those when diagnosing Snort related activity is nearly always far more useful than the message itself.

djmime · Sep 17, 2011, 3:43 PM

i am having the same problem and it seems the the salutation for suppress gen_id 137, sig_id 1
is not working any idea ?
thanks daniel

Cry Havok · Sep 17, 2011, 7:37 PM

Did you remember to restart snort after you added that configuration line?

djmime · Sep 18, 2011, 7:51 AM

yes i did restart the service and the FW no change

Cry Havok · Sep 18, 2011, 4:02 PM

Please post the all of the Snort messages (complete) for the point in time you try to connect to Exchange.

vito · Sep 19, 2011, 4:14 PM

I have added the suppress line and it did not seem to work for me also.
It seems this started after the last snort upgrade. (if i had to put a time frame on it..guessing) currently on the latest snort build on PF 2 release.

removed ip from block list, restarted Snort.

Log cleared and watched for the entry. (it does not seem like it happens right a way)
IP's removed

snort[24758]: [137:1:1] (ssp_ssl) Invalid Client HELLO after Server HELLO Detected [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} x.x.x.x:62848 -> x.x.x.x:443

PF Log:
Sep 19 14:30:51 snort[13668]: [137:1:1] (ssp_ssl) Invalid Client HELLO after Server HELLO Detected [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} x.x.x.x:42583 -> x.x.x.x:443
Sep 19 14:30:51 snort[13668]: [137:1:1] (ssp_ssl) Invalid Client HELLO after Server HELLO Detected [Classification: Potentially Bad Traffic] [Priority: 2] {TCP} x.x.x.x:42583 -> x.x.x.x:443

Snort Alert:
TCP (ssp_ssl) Invalid Client HELLO after Server HELLO Detected Potentially Bad Traffic x.x.x.x 42583 -> x.x.x.x 443 137:1:1 09/19-14:30:51

djmime · Sep 19, 2011, 4:49 PM

i m having the exact same log and it seems like it happens after a the second or third attempt
of the client OWA and OMA
(ssp_ssl) Invalid Client HELLO after Server HELLO Detected

thanks daniel

vito · Sep 21, 2011, 9:52 PM

Is this still an issue for both of you? Have not been able to get it working on my box.

thx

djmime · Sep 22, 2011, 7:25 AM

yes it still is i dunt have to macth time to play with it i will try on the weekand
thanks

djmime · Sep 24, 2011, 1:39 PM

OK I am lost can't figure this out need sum help ?

Cry Havok · Sep 24, 2011, 8:17 PM

Start by unticking "Block offenders" in the interface settings. That will give you time to get to the bottom of why you're having problems disabling that rule.

Also, can you post a screenshot of the Advanced configuration pass through section please.

vito · Sep 25, 2011, 1:58 AM

i rebooted my fw this morning and did not have a problem till about an hour ago
nothing in my adv config section.

Cry Havok · Sep 25, 2011, 8:58 AM

Then Snort isn't doing any blocking, something else is your problem.

vito · Sep 25, 2011, 12:21 PM

@Cry:

Then Snort isn't doing any blocking, something else is your problem.

Then what should be in there? I do not recall anything in the adv config box and Snort appears to be working fine besides this. The name applies "advance" to be passed to the snort config for additional options not available in the gui. (I know in the squid package, the custom options box shows configs, but never seen this in snort.)

If Snort is not blocking/working then why is it "blocking" the data stream from the phones and producing the problem by blocking the ip's? Turning off snort or not block offenders allows the devices to work fine.
It is also scanning other traffic and blocking offenders when needed.

This was only an issues after one of the last updates.
Thanks for our help.

Cry Havok · Sep 25, 2011, 4:07 PM

Then how have you told it to suppress the rule? Where did you enter suppress gen_id 137, sig_id 1?

vito · Sep 25, 2011, 6:20 PM

Under the "suppress" Tab

I also just tried under adv config. Still not working.

Cry Havok · Sep 25, 2011, 7:23 PM

What version of pfSense and the Snort package are you running?