[Snort-sigs] OpenSSH

Matt Kettler mkettler at ...189...
Wed Aug 14 05:26:01 EDT 2002

This isn't really doable as a mere snort signature. Snort is set up for 
high-speed fixed content matching, with optional case insensitive matching, 
but not breakdown of the data into integers and then doing less 
than/greater than type operations. The only numeric type fields processed 
by rules are header fields like the packet length.

Such detailed analysis of the SSH stream would likely need to be 
implemented as a snort preprocessor.

However, before doing a pre-processor, is the integer in question sent over 
the wire in plaintext? As best I can tell from the SSH protocol internet 
drafts the challenge response authentication performed after the encryption 
keys are already established and that it's a CR authentication through an 
encrypted tunnel. Once the encryption is up, your ability to analyze the 
content of the encrypted data is, or at least should be, nonexistent. At 
that point all you can do is analyze things in the TCP/IP headers.

At 02:50 PM 8/13/2002 -0500, kristofer-roy.g.reyes.1 wrote:
>I am trying to write a signiture to detect the Integer/Boundary Condition
>overflow attack on OpenSSH 3.3 and earlier. Essentially, all exploits will
>send a packet containing an integer greater than or equal to some specific
>value. Is there any way to detect something like this?
>Thanks for the help,
>Kris Reyes
>reyes at ...751...
>This sf.net email is sponsored by: Dice - The leading online job board
>for high-tech professionals. Search and apply for tech jobs today!
>Snort-sigs mailing list
>Snort-sigs at lists.sourceforge.net

More information about the Snort-sigs mailing list