[Snort-sigs] ssh CRC32 overflow filler - detected correct?

zaire zaire at ...348...
Fri Feb 22 11:41:10 EST 2002


Not to state the obvious but , since you looked at the signature that was
tripped you can see why the alert
was triggered.

' content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|";


I also had a few false positives with this signature when exchanging keys
for the first time between two hosts that had never talked to each other.

Ask yourself:

Validation is key, did the version you where running have ssh 1
compadability?

Did it meet ANY of the vulnerable service specks mentioned in the
advisory?


-z
On Tue, 19 Feb 2002, Thomas Igler wrote:

> Hi there,
>
> I have running the Cygwin port of openssh on the one side and openssh on rh
> on the other
> both version 3.0.2p1 ... but I can see the following entry made by snort:
>
> [**] [1:1325:2] EXPLOIT ssh CRC32 overflow filler [**]
> [Classification: Executable code was detected] [Priority: 1]
> 02/15-18:18:06.943053 157.163.188.96:3602 -> 157.163.188.97:22
> TCP TTL:128 TOS:0x0 ID:4874 IpLen:20 DgmLen:392 DF
> ***AP*** Seq: 0x71DAA2D8  Ack: 0x9C5AC235  Win: 0x4458  TcpLen: 20
> [Xref => http://www.securityfocus.com/bid/2347]
> [Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144]
>
> so my question is: is the rule correct and openssh 3.0.2p1 is volnurable or
> is the
> rule:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow
> filler"; flags:A+; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> 00 00|"; reference:bugtraq,2347; reference:cve,CVE-2001-0144;
> classtype:shellcode-detect; sid:1325; rev:2;)
>
> in exploit.rules of the downloadable actual snort version incorrect -
> depending on 3.0.2p1
>
> bye
>           thig
>
>
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>





More information about the Snort-sigs mailing list