[Snort-sigs] RE: Snort-sigs digest, Vol 1 #97 - 4 msgs
Nelson, James (CC-MIS Plans and Prog)
James.Nelson at ...74...
Mon Nov 5 07:47:02 EST 2001
Subject: [Snort-sigs] false hit crc32 for ssh
New snort_rules (snort_current) dloaded this am.
tried development version 11/02/01
snort thinks it is attempting to exploit the ssh crc32 error:
refrences: bugtraq: http://www.securityfocus.com/bid/2347
snort sig that triggered this alert: (the nulls used as filler at end of
> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \
> (msg:"EXPLOIT ssh CRC32 overflow filler"; flags:A+; \
> content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|"; \
> reference:bugtraq,2347; reference:cve,CVE-2001-0144; \
> classtype:shellcode-detect; sid:1325; rev:1;)
> This exploit only affects ssh ver 1 (i think) and this was ssh ver 2.
> how would I go about making sure that this did not trigger on ssh ver2?\
I have not read about the hole in great detail, but I wanted to point out
that it may be important to assure the SSHD.V2 daemon is configured so it
does not support SSH V1. By default , most SSHD's that have V2 support also
More information about the Snort-sigs