[Snort-sigs] ssh preprocessor false+ves

Russell Fulton r.fulton at ...575...
Thu Nov 27 17:43:34 EST 2008


We have quite a few users using this ssh client which keep triggering  
this alert.  THere does not seem to be a config option to set what is  
an acceptable length for a preprocessor string.

META	
SID	CID	TimeStamp	Signature	Sig ID
6	23559198	2008-11-27 19:53:04	ssh: Server version string overflow	3
Sensor Hostname	Sensor Interface
monitor-dmzo.isec.auckland.ac.nz	dmz sensor
IP	
Source Address	Dest Address	Ver	Hdr Len	TOS	length	ID	flags	offset	TTL	 
chksum
83.76.100.121	130.216.50.12	4	5	0	84	1671	2	0	114	38259
Resolved Source	Resolved Dest
121-100.76-83.cust.bluewin.ch 	stat12.stat.auckland.ac.nz
TCP	
Source Port	Dest Port	Seq	Ack	Offset	Reserved	Flags	Window	Checksum	 
Urgent Ptr
52951	22	345242141	172217714	5	0	24	16690	15158	0
Options
None
Flags
RB 1	RB 0	URG	ACK	PSH	RST	SYN	FIN
			X 	X 			
DATA	

SSH-1.99-3.2.3 SSH Secure Shell for Windows.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4125 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20081128/6954a2b4/attachment.bin>


More information about the Snort-sigs mailing list