Ssp_ssl: Invalid Client HELLO after Server HELLO Detected



  • Hi,

    I have read so much info and many different suggestions to why my snort is display false positives. I have got the

    Define SSL_IGNORE = 443 465 563 636 989 990 992 993 994 995

    but i am still getting alert messages inbound and outbound displaying the error "ssp_ssl: Invalid Client HELLO after Server HELLO Detected"

    I carnt find a way around it?



  • Have the same problem and even after adding:

    suppress gen_id 137, sig_id 1

    the alerts won't be in the alert list, but the ip's are getting blocked by snort…



  • Check this Video tutorial for snort rule supress
    Youtube Video



  • Hi Marcelloc,

    Thanks for your answer, but I did exactly that. I have serveral other suppressions and they work properly; they don't show up in the alert list and they don't get blocked…

    With this one they don't show up in the alert list, but they get blocked(?)


Log in to reply