Question about tuning

Getting lots of this in dpd:
unexpected Handshake message SERVER HELLO from responder in state INITIAL

Looks like in the SSL analyzer. By far the bulk of the messages we’re seeing. Anyone seen this and tuned it? Or is it indicative of a serious misconfiguration?

Hello Tim,

without actually looking into the analyzer source - if I am not mistaken what the message is saying is that
bro saw a server hello message being sent without the client hello being sent first (which
is required by the protocol).

I have not seen heard of this happening anywhere consistently, and cannot really
see how that usually should happen on a regular basis. Would it perhaps be possible to get a
trace of one connection that triggers this message?


This happens a lot in my environment as well. From some research I've done in the past, it's largely an issue of timing where a client does initiate the conversation but the server waits too long (for a variety of reasons) and the connection attempt was already reset.

I generally ignore it as network garbage and I, too, would be interested in tuning this out of Bro.

John Landers