[Snort-sigs] Question about ssh gobbles alert (128:1)

Joel Esler (jesler) jesler at ...3865...
Tue Feb 18 14:37:53 EST 2014


This is a preprocessor alert.  So, it’s not something we’ve changed in terms of a rule.  

J

On Feb 18, 2014, at 1:35 PM, Jeremy Hoel <jthoel at ...2420...> wrote:

> We had this fire last week between a SourceFire DC 750 and a linux box
> that we use for backups.
> 
> This is the first time the rule has fired for this pair and it doesn't
> make much sense:
> 
> on the SF DC
> 
> admin at ...3887...:~$ sshd -v
> sshd: illegal option -- v
> OpenSSH_5.9p1, OpenSSL 0.9.8y-fips 5 Feb 2013
> ...
> Sourcefire Linux OS v4.10.0 (build 767)
> Sourcefire Defense Center 750 v4.10.3.6 (build 17)
> 2.6.32.24sf.core264-15
> 
> 
> on the linux server it's going too:
> [root at ...3888... ~]# sshd -v
> sshd: illegal option -- v
> OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
> ...
> CentOS release 6.5 (Final), 2.6.32-431.1.2.0.1.el6.x86_64
> openssh.x86_64                     5.3p1-94.el6
> openssh-clients.x86_64             5.3p1-94.el6
> openssh-server.x86_64              5.3p1-94.el6
> 
> Both of these are > OpenSSH v 3.4 that is talked about in the code for
> the alert; also at the Cisco site:
> http://tools.cisco.com/security/center/viewAlert.x?alertId=4061
> 
> was something changed recently?
> 
> As a side note, we did recently upgrade to snort 2.6.0 on the sensor
> that is seeing this traffic, so maybe something changed in that
> rule-set version (paid VRT ruleset)
> 
> ------------------------------------------------------------------------------
> Managing the Performance of Cloud-Based Applications
> Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> Read the Whitepaper.
> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> 
> 
> Please visit http://blog.snort.org for the latest news about Snort!





More information about the Snort-sigs mailing list