[Snort-sigs] FPs on ssh version overflows

Russell Fulton r.fulton at ...575...
Sun Oct 14 18:33:36 EDT 2007


I posted about this a while back but did not get any responses.

I am seeing quite a lot of hits on " ssh: Server version string overflow"

from standard ssh version strings between 40 and 50 characters.

Looking at the README.ssh file does not show anyway of changing the
trigger point.

I'm currently using


PS. config for preprocessor:

preprocessor ssh: server_ports { 22 } \
                  max_client_bytes 19600 \
          disable_protomismatch \
                  disable_paysize \
                  max_encrypted_packets 20

More information about the Snort-sigs mailing list