Anyone else using snort with emerging threats rule set? I just started having a ton of problems related to matches for sig_id 2019416 ( out bound POODLE risk). The match is spoty though. I get that this is not a SNORT or Emerging Threats forum; however, was wondering is anyone else using firefox had issues. Or, as I am thinking is the case, I am special. I have even pulled in the firefox latest from for mozilla to see if that helped with the logic being that it was firefox allowing an SSLv3 connection to be set up. Any way, I thought the client set what it allowed in the initial connection set up; that being said, the latest firefox is supposed to address that I thought.
Any help would be appreciated as I am not sure the older information related to addressing SSLv3 is still relevant. Again, input appreciated. I am just trying to rule out anything on the system before digging into the rule maybe being a bit greedy on its match or something.
EDIT :
In my case, all sessions with the following are getting matched :
The actual blocks being done :
Code: Select all
03/21/2016-19:56:51.653882 [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 216.58.192.100:443
03/21/2016-20:03:57.965801 [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 74.125.196.101:443
03/21/2016-20:04:28.806374 [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 74.125.196.102:443
03/21/2016-20:27:39.110696 [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 157.56.141.114:443
03/21/2016-20:27:45.174199 [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 216.58.192.100:443
03/21/2016-20:45:56.258553 [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 216.58.192.100:443
03/21/2016-21:11:23.424291 [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 216.58.192.100:443
03/21/2016-21:16:23.405877 [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 216.58.192.100:443
03/21/2016-21:23:12.901352 [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 216.58.192.100:443
03/21/2016-21:28:14.403773 [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 216.58.192.100:443
03/21/2016-21:31:56.565142 [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 74.125.196.190:443
03/21/2016-21:33:15.808408 [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 216.58.192.100:443
03/21/2016-21:38:16.825851 [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 216.58.192.100:443
03/21/2016-21:45:12.910182 [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 216.58.192.100:443
03/21/2016-22:09:44.907446 [Block Src] [**] [1:2019416:3] ET POLICY SSLv3 outbound connection from client vulnerable to POODLE attack [**] [Classification: Potential Corporate Privacy Violation] [Priority: 1] {TCP} 74.125.196.190:443
Code: Select all
/root: grep 'google\|centos' /var/log/suricata/suricata_em27797/tls.log|grep -i sslv3
03/21/2016-19:56:51.608252 76.114.92.75:47486 -> 216.58.192.100:443 TLS: Subject='C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com' Issuerdn='C=US, O=Google Inc, CN=Google Internet Authority G2' SHA1='52:87:a0:e8:8a:9b:e9:90:fb:fc:29:44:49:ed:b4:2c:b9:2a:ac:74' VERSION='SSLv3'
03/21/2016-20:03:57.943915 76.114.92.75:48354 -> 74.125.196.101:443 TLS: Subject='C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com' Issuerdn='C=US, O=Google Inc, CN=Google Internet Authority G2' SHA1='14:d9:58:1a:8c:a0:1d:78:0f:b2:9d:a3:3e:f4:4e:df:9b:cb:92:ae' VERSION='SSLv3'
03/21/2016-20:04:28.806778 76.114.92.75:10569 -> 74.125.196.102:443 TLS: Subject='C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com' Issuerdn='C=US, O=Google Inc, CN=Google Internet Authority G2' SHA1='14:d9:58:1a:8c:a0:1d:78:0f:b2:9d:a3:3e:f4:4e:df:9b:cb:92:ae' VERSION='SSLv3'
03/21/2016-20:27:45.135834 76.114.92.75:29988 -> 216.58.192.100:443 TLS: Subject='C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com' Issuerdn='C=US, O=Google Inc, CN=Google Internet Authority G2' SHA1='52:87:a0:e8:8a:9b:e9:90:fb:fc:29:44:49:ed:b4:2c:b9:2a:ac:74' VERSION='SSLv3'
03/21/2016-20:54:11.194203 76.114.92.75:33448 -> 216.58.192.100:443 TLS: Subject='C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com' Issuerdn='C=US, O=Google Inc, CN=Google Internet Authority G2' SHA1='52:87:a0:e8:8a:9b:e9:90:fb:fc:29:44:49:ed:b4:2c:b9:2a:ac:74' VERSION='SSLv3'
03/21/2016-21:31:56.571349 76.114.92.75:19048 -> 74.125.196.190:443 TLS: Subject='C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com' Issuerdn='C=US, O=Google Inc, CN=Google Internet Authority G2' SHA1='14:d9:58:1a:8c:a0:1d:78:0f:b2:9d:a3:3e:f4:4e:df:9b:cb:92:ae' VERSION='SSLv3'
03/21/2016-21:31:56.543115 76.114.92.75:25312 -> 74.125.196.190:443 TLS: Subject='C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com' Issuerdn='C=US, O=Google Inc, CN=Google Internet Authority G2' SHA1='14:d9:58:1a:8c:a0:1d:78:0f:b2:9d:a3:3e:f4:4e:df:9b:cb:92:ae' VERSION='SSLv3'
03/21/2016-22:08:36.867880 76.114.92.75:32507 -> 216.58.192.100:443 TLS: Subject='C=US, ST=California, L=Mountain View, O=Google Inc, CN=www.google.com' Issuerdn='C=US, O=Google Inc, CN=Google Internet Authority G2' SHA1='52:87:a0:e8:8a:9b:e9:90:fb:fc:29:44:49:ed:b4:2c:b9:2a:ac:74' VERSION='SSLv3'
03/21/2016-22:09:44.883433 76.114.92.75:47798 -> 74.125.196.190:443 TLS: Subject='C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com' Issuerdn='C=US, O=Google Inc, CN=Google Internet Authority G2' SHA1='14:d9:58:1a:8c:a0:1d:78:0f:b2:9d:a3:3e:f4:4e:df:9b:cb:92:ae' VERSION='SSLv3'