Ssp_ssl: Invalid Client HELLO after Server HELLO Detected

ANSASERVERS · Dec 27, 2011, 5:38 AM

Hi,

I have read so much info and many different suggestions to why my snort is display false positives. I have got the

Define SSL_IGNORE = 443 465 563 636 989 990 992 993 994 995

but i am still getting alert messages inbound and outbound displaying the error "ssp_ssl: Invalid Client HELLO after Server HELLO Detected"

I carnt find a way around it?

digdug3 · Dec 27, 2011, 7:39 AM

Have the same problem and even after adding:

suppress gen_id 137, sig_id 1

the alerts won't be in the alert list, but the ip's are getting blocked by snort…

marcelloc · Dec 27, 2011, 11:51 AM

Check this Video tutorial for snort rule supress
https://www.youtube.com/watch?v=uQ7OrxtiAes

digdug3 · Dec 27, 2011, 1:02 PM

Hi Marcelloc,

Thanks for your answer, but I did exactly that. I have serveral other suppressions and they work properly; they don't show up in the alert list and they don't get blocked…

With this one they don't show up in the alert list, but they get blocked(?)