[Snort-sigs] Question about ssh gobbles alert (128:1)

Jeremy Hoel jthoel at ...2420...
Tue Feb 18 13:35:09 EST 2014

We had this fire last week between a SourceFire DC 750 and a linux box
that we use for backups.

This is the first time the rule has fired for this pair and it doesn't
make much sense:

on the SF DC

admin at ...3887...:~$ sshd -v
sshd: illegal option -- v
OpenSSH_5.9p1, OpenSSL 0.9.8y-fips 5 Feb 2013
Sourcefire Linux OS v4.10.0 (build 767)
Sourcefire Defense Center 750 v4.10.3.6 (build 17)

on the linux server it's going too:
[root at ...3888... ~]# sshd -v
sshd: illegal option -- v
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
CentOS release 6.5 (Final), 2.6.32-431.
openssh.x86_64                     5.3p1-94.el6
openssh-clients.x86_64             5.3p1-94.el6
openssh-server.x86_64              5.3p1-94.el6

Both of these are > OpenSSH v 3.4 that is talked about in the code for
the alert; also at the Cisco site:

was something changed recently?

As a side note, we did recently upgrade to snort 2.6.0 on the sensor
that is seeing this traffic, so maybe something changed in that
rule-set version (paid VRT ruleset)

More information about the Snort-sigs mailing list