[Snort-sigs] Cywin SSH and EXPLOIT ssh CRC32 overflow filler

Grounds, Adam AGrounds at ...615...
Fri Feb 28 09:38:07 EST 2003


RE: EXPLOIT ssh CRC32 overflow filler > exploit.rules

After updating to the latest stable ruleset for 1.9.x, I started
receiving positives for this alert in my MySQL database.  Upon closer
inspection and some research, it turns out the my users who are using
the Cygwin toolset (source: http://www.cygwin.com) to SSH into their
production servers are generating this alert.  Every SSH initial
connection generates this alert.  I can not duplicate this using other
SSH clients at this time.  It appears that Cygwin's OpenSSH port pads
the last 22 blocks of the initiation string with 0's triggering this
alert.  I'm disabling the rule for myself, but I thought I'd throw a
head's up out to you fellow snorters.

  Grounds, Adam M
  EMS Infrastructure Group : Reliant Resources Inc.
  AGrounds at ...615... 




More information about the Snort-sigs mailing list