[Snort-sigs] FPs on ssh version overflows

Russell Fulton r.fulton at ...575...
Sun Oct 14 18:33:36 EDT 2007


Hi

I posted about this a while back but did not get any responses.

I am seeing quite a lot of hits on " ssh: Server version string overflow"

from standard ssh version strings between 40 and 50 characters.

Looking at the README.ssh file does not show anyway of changing the
trigger point.

I'm currently using 2.7.0.1

Russell

PS. config for preprocessor:

preprocessor ssh: server_ports { 22 } \
                  max_client_bytes 19600 \
          disable_protomismatch \
                  disable_paysize \
                  max_encrypted_packets 20





More information about the Snort-sigs mailing list