[Snort-sigs] false hit crc32 for ssh

Michael Scheidell scheidell at ...183...
Sat Nov 3 09:19:01 EST 2001


New snort_rules (snort_current) dloaded this am.

tried development version 11/02/01
snort thinks it is attempting to exploit the ssh crc32 error:

refrences: bugtraq: http://www.securityfocus.com/bid/2347
       CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144
snort sig that triggered this alert: (the nulls used as filler at end of
packet).

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \
(msg:"EXPLOIT ssh CRC32 overflow filler"; flags:A+; \
 content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|"; \
 reference:bugtraq,2347; reference:cve,CVE-2001-0144; \
classtype:shellcode-detect; sid:1325; rev:1;)

This exploit only affects ssh ver 1 (i think) and this was ssh ver 2.
how would I go about making sure that this did not trigger on ssh ver2?\

How would I exclude a pattern BEFORE next pattern?
!content: (some trigger string) content: ?

Generated by ACID v0.9.6b17 on Fri November 02, 2001 17:03:00

----------------------------------------------------------------------------
--
#(7 - 1) [2001-11-02 17:01:18] [Bugtraq/2347] [CVE/CVE-2001-0144]  EXPLOIT
ssh C
RC32 overflow filler
IPv4: 192.168.45.6 -> 172.16.30.250
      hlen=5 TOS=0 dlen=528 ID=447 flags=0 offset=0 TTL=113 chksum=7900
TCP:  port=2611 -> dport: 22  flags=***AP*** seq=2242655498
      ack=750940359 off=5 res=0 win=31518 urp=0 chksum=39828
Payload:  length = 488

000 : 00 00 01 E4 09 14 D1 F2 81 EB 18 41 0E 85 78 EE   ...........A..x.
010 : 52 88 A4 ED 2E A4 00 00 00 3D 64 69 66 66 69 65   R........=diffie
020 : 2D 68 65 6C 6C 6D 61 6E 2D 67 72 6F 75 70 2D 65   -hellman-group-e
020 : 2D 68 65 6C 6C 6D 61 6E 2D 67 72 6F 75 70 2D 65   -hellman-group-e
030 : 78 63 68 61 6E 67 65 2D 73 68 61 31 2C 64 69 66   xchange-sha1,dif
040 : 66 69 65 2D 68 65 6C 6C 6D 61 6E 2D 67 72 6F 75   fie-hellman-grou
050 : 70 31 2D 73 68 61 31 00 00 00 0F 73 73 68 2D 72   p1-sha1....ssh-r
060 : 73 61 2C 73 73 68 2D 64 73 73 00 00 00 83 33 64   sa,ssh-dss....3d
070 : 65 73 2D 63 62 63 2C 61 65 73 32 35 36 2D 63 62   es-cbc,aes256-cb
080 : 63 2C 72 69 6A 6E 64 61 65 6C 32 35 36 2D 63 62   c,rijndael256-cb
090 : 63 2C 72 69 6A 6E 64 61 65 6C 2D 63 62 63 40 6C   c,rijndael-cbc at ...184...
0a0 : 79 73 61 74 6F 72 2E 6C 69 75 2E 73 65 2C 61 65   ysator.liu.se,ae
0b0 : 73 31 39 32 2D 63 62 63 2C 72 69 6A 6E 64 61 65   s192-cbc,rijndae
0c0 : 6C 31 39 32 2D 63 62 63 2C 61 65 73 31 32 38 2D   l192-cbc,aes128-
0d0 : 63 62 63 2C 72 69 6A 6E 64 61 65 6C 31 32 38 2D   cbc,rijndael128-
0e0 : 63 62 63 2C 62 6C 6F 77 66 69 73 68 2D 63 62 63   cbc,blowfish-cbc
0f0 : 2C 00 00 00 83 33 64 65 73 2D 63 62 63 2C 61 65   ,....3des-cbc,ae
100 : 73 32 35 36 2D 63 62 63 2C 72 69 6A 6E 64 61 65   s256-cbc,rijndae
110 : 6C 32 35 36 2D 63 62 63 2C 72 69 6A 6E 64 61 65   l256-cbc,rijndae
120 : 6C 2D 63 62 63 40 6C 79 73 61 74 6F 72 2E 6C 69   l-cbc at ...185...
130 : 75 2E 73 65 2C 61 65 73 31 39 32 2D 63 62 63 2C   u.se,aes192-cbc,
140 : 72 69 6A 6E 64 61 65 6C 31 39 32 2D 63 62 63 2C   rijndael192-cbc,
150 : 61 65 73 31 32 38 2D 63 62 63 2C 72 69 6A 6E 64   aes128-cbc,rijnd
160 : 61 65 6C 31 32 38 2D 63 62 63 2C 62 6C 6F 77 66   ael128-cbc,blowf
160 : 61 65 6C 31 32 38 2D 63 62 63 2C 62 6C 6F 77 66   ael128-cbc,blowf
170 : 69 73 68 2D 63 62 63 2C 00 00 00 17 68 6D 61 63   ish-cbc,....hmac
180 : 2D 73 68 61 31 2C 68 6D 61 63 2D 6D 64 35 2C 6E   -sha1,hmac-md5,n
190 : 6F 6E 65 00 00 00 17 68 6D 61 63 2D 73 68 61 31   one....hmac-sha1
1a0 : 2C 68 6D 61 63 2D 6D 64 35 2C 6E 6F 6E 65 00 00   ,hmac-md5,none..
1b0 : 00 0E 6E 6F 6E 65 2C 7A 6C 69 62 2C 6E 6F 6E 65   ..none,zlib,none
1c0 : 00 00 00 0E 6E 6F 6E 65 2C 7A 6C 69 62 2C 6E 6F   ....none,zlib,no
1d0 : 6E 65 00 00 00 00 00 00 00 00 00 00 00 00 00 EA   ne..............
1e0 : 31 0A 23 96 3C DF D8 78                           1.#.<..x


---
Michael Scheidell scheidell at ...183...
Florida Datamation, Inc. Updated Security News: http://www.fdma.com/
After system Compromise : http://www.cert.org/tech_tips/






More information about the Snort-sigs mailing list