[Snort-sigs] false hit crc32 for ssh

Douglas Elznic dfe at ...200...
Sun Nov 18 15:03:01 EST 2001


I have experienced the same thing. and both server and client were v2
latest patches...


On Sat, 2001-11-03 at 12:18, Michael Scheidell wrote:
> New snort_rules (snort_current) dloaded this am.
> 
> tried development version 11/02/01
> snort thinks it is attempting to exploit the ssh crc32 error:
> 
> refrences: bugtraq: http://www.securityfocus.com/bid/2347
>        CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144
> snort sig that triggered this alert: (the nulls used as filler at end of
> packet).
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 \
> (msg:"EXPLOIT ssh CRC32 overflow filler"; flags:A+; \
>  content:"|00 00 00 00 00 00 00 00 00 00 00 00 00|"; \
>  reference:bugtraq,2347; reference:cve,CVE-2001-0144; \
> classtype:shellcode-detect; sid:1325; rev:1;)
> 
> This exploit only affects ssh ver 1 (i think) and this was ssh ver 2.
> how would I go about making sure that this did not trigger on ssh ver2?\
> 
> How would I exclude a pattern BEFORE next pattern?
> !content: (some trigger string) content: ?
> 
> Generated by ACID v0.9.6b17 on Fri November 02, 2001 17:03:00
> 
> ----------------------------------------------------------------------------
> --
> #(7 - 1) [2001-11-02 17:01:18] [Bugtraq/2347] [CVE/CVE-2001-0144]  EXPLOIT
> ssh C
> RC32 overflow filler
> IPv4: 192.168.45.6 -> 172.16.30.250
>       hlen=5 TOS=0 dlen=528 ID=447 flags=0 offset=0 TTL=113 chksum=7900
> TCP:  port=2611 -> dport: 22  flags=***AP*** seq=2242655498
>       ack=750940359 off=5 res=0 win=31518 urp=0 chksum=39828
> Payload:  length = 488
> 
> 000 : 00 00 01 E4 09 14 D1 F2 81 EB 18 41 0E 85 78 EE   ...........A..x.
> 010 : 52 88 A4 ED 2E A4 00 00 00 3D 64 69 66 66 69 65   R........=diffie
> 020 : 2D 68 65 6C 6C 6D 61 6E 2D 67 72 6F 75 70 2D 65   -hellman-group-e
> 020 : 2D 68 65 6C 6C 6D 61 6E 2D 67 72 6F 75 70 2D 65   -hellman-group-e
> 030 : 78 63 68 61 6E 67 65 2D 73 68 61 31 2C 64 69 66   xchange-sha1,dif
> 040 : 66 69 65 2D 68 65 6C 6C 6D 61 6E 2D 67 72 6F 75   fie-hellman-grou
> 050 : 70 31 2D 73 68 61 31 00 00 00 0F 73 73 68 2D 72   p1-sha1....ssh-r
> 060 : 73 61 2C 73 73 68 2D 64 73 73 00 00 00 83 33 64   sa,ssh-dss....3d
> 070 : 65 73 2D 63 62 63 2C 61 65 73 32 35 36 2D 63 62   es-cbc,aes256-cb
> 080 : 63 2C 72 69 6A 6E 64 61 65 6C 32 35 36 2D 63 62   c,rijndael256-cb
> 090 : 63 2C 72 69 6A 6E 64 61 65 6C 2D 63 62 63 40 6C   c,rijndael-cbc at ...202....184...
> 0a0 : 79 73 61 74 6F 72 2E 6C 69 75 2E 73 65 2C 61 65   ysator.liu.se,ae
> 0b0 : 73 31 39 32 2D 63 62 63 2C 72 69 6A 6E 64 61 65   s192-cbc,rijndae
> 0c0 : 6C 31 39 32 2D 63 62 63 2C 61 65 73 31 32 38 2D   l192-cbc,aes128-
> 0d0 : 63 62 63 2C 72 69 6A 6E 64 61 65 6C 31 32 38 2D   cbc,rijndael128-
> 0e0 : 63 62 63 2C 62 6C 6F 77 66 69 73 68 2D 63 62 63   cbc,blowfish-cbc
> 0f0 : 2C 00 00 00 83 33 64 65 73 2D 63 62 63 2C 61 65   ,....3des-cbc,ae
> 100 : 73 32 35 36 2D 63 62 63 2C 72 69 6A 6E 64 61 65   s256-cbc,rijndae
> 110 : 6C 32 35 36 2D 63 62 63 2C 72 69 6A 6E 64 61 65   l256-cbc,rijndae
> 120 : 6C 2D 63 62 63 40 6C 79 73 61 74 6F 72 2E 6C 69   l-cbc at ...185...
> 130 : 75 2E 73 65 2C 61 65 73 31 39 32 2D 63 62 63 2C   u.se,aes192-cbc,
> 140 : 72 69 6A 6E 64 61 65 6C 31 39 32 2D 63 62 63 2C   rijndael192-cbc,
> 150 : 61 65 73 31 32 38 2D 63 62 63 2C 72 69 6A 6E 64   aes128-cbc,rijnd
> 160 : 61 65 6C 31 32 38 2D 63 62 63 2C 62 6C 6F 77 66   ael128-cbc,blowf
> 160 : 61 65 6C 31 32 38 2D 63 62 63 2C 62 6C 6F 77 66   ael128-cbc,blowf
> 170 : 69 73 68 2D 63 62 63 2C 00 00 00 17 68 6D 61 63   ish-cbc,....hmac
> 180 : 2D 73 68 61 31 2C 68 6D 61 63 2D 6D 64 35 2C 6E   -sha1,hmac-md5,n
> 190 : 6F 6E 65 00 00 00 17 68 6D 61 63 2D 73 68 61 31   one....hmac-sha1
> 1a0 : 2C 68 6D 61 63 2D 6D 64 35 2C 6E 6F 6E 65 00 00   ,hmac-md5,none..
> 1b0 : 00 0E 6E 6F 6E 65 2C 7A 6C 69 62 2C 6E 6F 6E 65   ..none,zlib,none
> 1c0 : 00 00 00 0E 6E 6F 6E 65 2C 7A 6C 69 62 2C 6E 6F   ....none,zlib,no
> 1d0 : 6E 65 00 00 00 00 00 00 00 00 00 00 00 00 00 EA   ne..............
> 1e0 : 31 0A 23 96 3C DF D8 78                           1.#.<..x
> 
> 
> ---
> Michael Scheidell scheidell at ...183...
> Florida Datamation, Inc. Updated Security News: http://www.fdma.com/
> After system Compromise : http://www.cert.org/tech_tips/
> 
> 
> 
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
-- 
+-----------------+---------------------------------------------------+
| Douglas Elznic  |         <dfe at ...200...>  http://anize.org         |
+-----------------+---------------------------------------------------+
| Encrypted email | They that can give up liberty to obtain a little  |
|  is encouraged  |temporary safety deserve neither liberty or safety.|
+-----------------+---------------------------------------------------+
|   http://pgp.dtype.org:11371/pks/lookup?op=get&search=0x13300731    |
+-------| EF9C 7E3C 0327 EAAF 1E20  5299 0805 7531 1330 0731 |--------+
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20011118/747b38a8/attachment.sig>


More information about the Snort-sigs mailing list