[Snort-sigs] FPs on ssh version overflows

Matthew Watchinski mwatchinski at ...435...
Mon Oct 15 11:06:36 EDT 2007


ssh is still marked experimental, but since there is no way to set this
parameter in the current code you can do the following to make this go away.

vi spp_ssh.h
modify value for SSH_MAX_PROTOVERS_STRING which is currently 40
recompile.

If you find one that works out well, please let us know and we'll change it.

Thanks
-matt

Russell Fulton wrote:
> Hi
> 
> I posted about this a while back but did not get any responses.
> 
> I am seeing quite a lot of hits on " ssh: Server version string overflow"
> 
> from standard ssh version strings between 40 and 50 characters.
> 
> Looking at the README.ssh file does not show anyway of changing the
> trigger point.
> 
> I'm currently using 2.7.0.1
> 
> Russell
> 
> PS. config for preprocessor:
> 
> preprocessor ssh: server_ports { 22 } \
>                   max_client_bytes 19600 \
>           disable_protomismatch \
>                   disable_paysize \
>                   max_encrypted_packets 20
> 
> 
> -------------------------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc.
> Still grepping through log files to find problems?  Stop.
> Now Search log events and configuration files using AJAX and a browser.
> Download your FREE copy of Splunk now >> http://get.splunk.com/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 





More information about the Snort-sigs mailing list