Chr. v. Stuckrad
stucki at ...3882...
Fri Nov 23 14:36:04 EST 2001
On Fri, Nov 23, 2001 at 05:08:47PM -0500, Tim Sailer wrote:
> It's a sad day when both snort.org and whitehats are both down at the same
> I'm seeing a LOT of the ssh crc attacks in the logs of the machines that
> actually log to my central machine. Does someone have a snort rule to
> detect this?
Before trying to find out, who seems to break in, ask the
users there whether they use the ssh2-protocol!
The SSH2-Protocol seems to generate one false positive
per connection startup in the rule containing (the zero-fill)
'EXPLOIT ssh CRC32 overflow filler'
So we had to ignore those... (which was no problem, because
our old vulnerable ssh1's are gone).
Christoph von Stuckrad * * | nickname | <stucki at ...3882...> \
Freie Universitaet Berlin |/_* | 'stucki' | Tel(days):+49 30 838-75 459 |
Fachbereich Mathematik, EDV |\ * | if online | Tel(else):+49 30 77 39 6600 |
Arnimallee 2-6/14195 Berlin * * | on IRCnet | Fax(alle):+49 30 838-75454 /
More information about the Snort-users