[Snort-sigs] RE: Snort-sigs digest, Vol 1 #97 - 4 msgs

Nelson, James (CC-MIS Plans and Prog) James.Nelson at ...74...
Mon Nov 5 07:47:02 EST 2001


Subject: [Snort-sigs] false hit crc32 for ssh

New snort_rules (snort_current) dloaded this am.

tried development version 11/02/01
snort thinks it is attempting to exploit the ssh crc32 error:

refrences: bugtraq: http://www.securityfocus.com/bid/2347
       CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144
snort sig that triggered this alert: (the nulls used as filler at end of
packet).

> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \
> (msg:"EXPLOIT ssh CRC32 overflow filler"; flags:A+; \
> content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|"; \
> reference:bugtraq,2347; reference:cve,CVE-2001-0144; \
> classtype:shellcode-detect; sid:1325; rev:1;)

> This exploit only affects ssh ver 1 (i think) and this was ssh ver 2.
> how would I go about making sure that this did not trigger on ssh ver2?\

I have not read about the hole in great detail, but I wanted to point out
that it may be important to assure the SSHD.V2 daemon is configured so it
does not support SSH V1.  By default , most SSHD's that have V2 support also
support V1.

James




More information about the Snort-sigs mailing list