[Bro] Question about tuning

Bernhard Amann bernhard at ICSI.Berkeley.EDU
Fri Feb 7 12:24:05 PST 2014


Hello Tim,

without actually looking into the analyzer source - if I am not mistaken what the message is saying is that 
bro saw a server hello message being sent without the client hello being sent first (which
is required by the protocol). 

I have not seen heard of this happening anywhere consistently, and cannot really
see how that usually should happen on a regular basis. Would it perhaps be possible to get a
trace of one connection that triggers this message?

Bernhard

On Feb 7, 2014, at 11:04 AM, Tim Ray <tray at 21ct.com> wrote:

> Getting lots of this in dpd:
> unexpected Handshake message SERVER HELLO from responder in state INITIAL
> 
> Looks like in the SSL analyzer. By far the bulk of the messages we’re seeing. Anyone seen this and tuned it? Or is it indicative of a serious misconfiguration?
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro





More information about the Bro mailing list