"The following Snort signature may have better detection for the Microsoft SSL Bomb DoS attack than the ones previously published. This was contributed by an external organization, where the signature has been running without false positives for the duration of the day. Please report any successful detections and/or false positives.

There is also an indication that attackers may be changing the published exploit code to avoid detection. The below signature is designed to alert on the root cause of the vulnerability, not a specific trait of the published exploit.

alert tcp any any -> $HOME_NET 443 (msg: "SSL Bomb DoS Attempt"; \
content:"|16 03 00|"; offset:0; depth:3; content:"|01|"; distance:2; \
within:1; byte_jump:1,37,relative,align; byte_test:2,>,255,0,relative; \
flow:to_server,established; classtype:attempted-dos; \
reference:cve,CAN-2004-0120; \
reference:url,; \
sid:999999; rev:1 ; ) \