[Snort-sigs] Question about ssh gobbles alert (128:1)

Jeremy Hoel jthoel at ...2420...
Tue Feb 18 13:35:09 EST 2014


We had this fire last week between a SourceFire DC 750 and a linux box
that we use for backups.

This is the first time the rule has fired for this pair and it doesn't
make much sense:

on the SF DC

admin at ...3887...:~$ sshd -v
sshd: illegal option -- v
OpenSSH_5.9p1, OpenSSL 0.9.8y-fips 5 Feb 2013
...
Sourcefire Linux OS v4.10.0 (build 767)
Sourcefire Defense Center 750 v4.10.3.6 (build 17)
2.6.32.24sf.core264-15


on the linux server it's going too:
[root at ...3888... ~]# sshd -v
sshd: illegal option -- v
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
...
CentOS release 6.5 (Final), 2.6.32-431.1.2.0.1.el6.x86_64
openssh.x86_64                     5.3p1-94.el6
openssh-clients.x86_64             5.3p1-94.el6
openssh-server.x86_64              5.3p1-94.el6

Both of these are > OpenSSH v 3.4 that is talked about in the code for
the alert; also at the Cisco site:
http://tools.cisco.com/security/center/viewAlert.x?alertId=4061

was something changed recently?

As a side note, we did recently upgrade to snort 2.6.0 on the sensor
that is seeing this traffic, so maybe something changed in that
rule-set version (paid VRT ruleset)




More information about the Snort-sigs mailing list