[Snort-sigs] ssh CRC32 overflow filler - detected correct?

Thomas Igler thig at ...369...
Tue Feb 19 02:20:02 EST 2002


Hi there,

I have running the Cygwin port of openssh on the one side and openssh on rh
on the other
both version 3.0.2p1 ... but I can see the following entry made by snort:

[**] [1:1325:2] EXPLOIT ssh CRC32 overflow filler [**]
[Classification: Executable code was detected] [Priority: 1]
02/15-18:18:06.943053 157.163.188.96:3602 -> 157.163.188.97:22
TCP TTL:128 TOS:0x0 ID:4874 IpLen:20 DgmLen:392 DF
***AP*** Seq: 0x71DAA2D8  Ack: 0x9C5AC235  Win: 0x4458  TcpLen: 20
[Xref => http://www.securityfocus.com/bid/2347]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144]

so my question is: is the rule correct and openssh 3.0.2p1 is volnurable or
is the
rule:

alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow
filler"; flags:A+; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00|"; reference:bugtraq,2347; reference:cve,CVE-2001-0144;
classtype:shellcode-detect; sid:1325; rev:2;)

in exploit.rules of the downloadable actual snort version incorrect -
depending on 3.0.2p1

bye
          thig





More information about the Snort-sigs mailing list