SSL Preprocessor Rules

If you want to generate events and, in an inline deployment, drop offending packets, enable SSL preprocessor rules (GID 137).

The following table describes the SSL preprocessor rules you can enable.

SSL Preprocessor Rules

Preprocessor Rule GID:SID

Description

137:1

Detects a ClientHello message after a ServerHello message, which is invalid and considered to be anomalous behavior.

137:2

Detects a ServerHello message without a ClientHello message when the SSL preprocessor option Server side data is trusted is disabled, which is invalid and considered to be anomalous behavior.

137:3

Detects a heartbeat request with a payload length greater than the payload itself when the SSL preprocessor option Max Heartbeat Length contains a non-zero value, which indicates an attempt to exploit the Heartbleed bug.

137:4

Detects a heartbeat response larger than a non-zero value specified in the SSL preprocessor option Max Heartbeat Length, which indicates an attempt to exploit the Heartbleed bug.