[Snort-sigs] Question about ssh gobbles alert (128:1)

Jeremy Hoel jthoel at ...2420...
Tue Feb 18 15:27:45 EST 2014


I agree.  And I planned on whitelisting that, just surprised to see it
fire.
On Feb 18, 2014 1:08 PM, "Joel Esler (jesler)" <jesler at ...3865...> wrote:

> Sorry, hit send too soon.  The answer to the second part of your question
> is, if your systems are running a non-vulnerable version of Openssh, then
> I'd recommend shutting this rule off.
>
>
> On Feb 18, 2014, at 1:35 PM, Jeremy Hoel <jthoel at ...2420...> wrote:
>
> > We had this fire last week between a SourceFire DC 750 and a linux box
> > that we use for backups.
> >
> > This is the first time the rule has fired for this pair and it doesn't
> > make much sense:
> >
> > on the SF DC
> >
> > admin at ...3887...:~$ sshd -v
> > sshd: illegal option -- v
> > OpenSSH_5.9p1, OpenSSL 0.9.8y-fips 5 Feb 2013
> > ...
> > Sourcefire Linux OS v4.10.0 (build 767)
> > Sourcefire Defense Center 750 v4.10.3.6 (build 17)
> > 2.6.32.24sf.core264-15
> >
> >
> > on the linux server it's going too:
> > [root at ...3888... ~]# sshd -v
> > sshd: illegal option -- v
> > OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
> > ...
> > CentOS release 6.5 (Final), 2.6.32-431.1.2.0.1.el6.x86_64
> > openssh.x86_64                     5.3p1-94.el6
> > openssh-clients.x86_64             5.3p1-94.el6
> > openssh-server.x86_64              5.3p1-94.el6
> >
> > Both of these are > OpenSSH v 3.4 that is talked about in the code for
> > the alert; also at the Cisco site:
> > http://tools.cisco.com/security/center/viewAlert.x?alertId=4061
> >
> > was something changed recently?
> >
> > As a side note, we did recently upgrade to snort 2.6.0 on the sensor
> > that is seeing this traffic, so maybe something changed in that
> > rule-set version (paid VRT ruleset)
> >
> >
> ------------------------------------------------------------------------------
> > Managing the Performance of Cloud-Based Applications
> > Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
> > Read the Whitepaper.
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=121054471&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-sigs mailing list
> > Snort-sigs at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-sigs
> > http://www.snort.org
> >
> >
> > Please visit http://blog.snort.org for the latest news about Snort!
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20140218/b3442a20/attachment.html>


More information about the Snort-sigs mailing list