[Bro] Question about tuning
John Landers
jlanders at paymetric.com
Fri Feb 7 12:56:55 PST 2014
This happens a lot in my environment as well. From some research I've done in the past, it's largely an issue of timing where a client does initiate the conversation but the server waits too long (for a variety of reasons) and the connection attempt was already reset.
I generally ignore it as network garbage and I, too, would be interested in tuning this out of Bro.
John Landers
-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Bernhard Amann
Sent: Friday, February 7, 2014 2:24 PM
To: Tim Ray
Cc: Bro
Subject: Re: [Bro] Question about tuning
Hello Tim,
without actually looking into the analyzer source - if I am not mistaken what the message is saying is that bro saw a server hello message being sent without the client hello being sent first (which is required by the protocol).
I have not seen heard of this happening anywhere consistently, and cannot really see how that usually should happen on a regular basis. Would it perhaps be possible to get a trace of one connection that triggers this message?
Bernhard
On Feb 7, 2014, at 11:04 AM, Tim Ray <tray at 21ct.com> wrote:
> Getting lots of this in dpd:
> unexpected Handshake message SERVER HELLO from responder in state
> INITIAL
>
> Looks like in the SSL analyzer. By far the bulk of the messages we're seeing. Anyone seen this and tuned it? Or is it indicative of a serious misconfiguration?
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
_______________________________________________
Bro mailing list
bro at bro-ids.org
http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list