mkettler at ...189...
Wed Aug 14 05:26:01 EDT 2002
This isn't really doable as a mere snort signature. Snort is set up for
high-speed fixed content matching, with optional case insensitive matching,
but not breakdown of the data into integers and then doing less
than/greater than type operations. The only numeric type fields processed
by rules are header fields like the packet length.
Such detailed analysis of the SSH stream would likely need to be
implemented as a snort preprocessor.
However, before doing a pre-processor, is the integer in question sent over
the wire in plaintext? As best I can tell from the SSH protocol internet
drafts the challenge response authentication performed after the encryption
keys are already established and that it's a CR authentication through an
encrypted tunnel. Once the encryption is up, your ability to analyze the
content of the encrypted data is, or at least should be, nonexistent. At
that point all you can do is analyze things in the TCP/IP headers.
At 02:50 PM 8/13/2002 -0500, kristofer-roy.g.reyes.1 wrote:
>I am trying to write a signiture to detect the Integer/Boundary Condition
>overflow attack on OpenSSH 3.3 and earlier. Essentially, all exploits will
>send a packet containing an integer greater than or equal to some specific
>value. Is there any way to detect something like this?
>Thanks for the help,
>reyes at ...751...
>This sf.net email is sponsored by: Dice - The leading online job board
>for high-tech professionals. Search and apply for tech jobs today!
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net
More information about the Snort-sigs