Rule Category

SERVER-OTHER -- Snort has detected traffic exploiting vulnerabilities in a server in the network.

Alert Message

SERVER-OTHER TLSv1.0 POODLE CBC padding brute force attempt

Rule Explanation

An indicator of this attack is a large number of SSL sessions being created by a single client.

What To Look For

A large number of SSL sessions will trigger this rule

Known Usage

Public information/Proof of Concept available

False Positives

Known false positives, with the described conditions

If a customer environment expects a large number of sessions from the same origin (possibly a proxy situation) this rule can FP. Customers could disable this rule and create it as a custom rule with a detection filter tuned to their enviroment.

Contributors

Talos

Rule Groups

MITRE::ATT&CK Framework::Enterprise::Reconnaissance::Gather Victim Host Information

MITRE::ATT&CK Framework::Enterprise::Initial Access::Exploit Public-Facing Application

CVE

Additional Links

Rule Vulnerability

N/A

Not Applicable

CVE Additional Information

This product uses data from the NVD API but is not endorsed or certified by the NVD.
CVE-2014-8730
Loading description
CVE-2014-3566
Loading description