[Snort-users] Aw...

Chr. v. Stuckrad stucki at ...3882...
Fri Nov 23 14:36:04 EST 2001


Hi!

On Fri, Nov 23, 2001 at 05:08:47PM -0500, Tim Sailer wrote:
> It's a sad day when both snort.org and whitehats are both down at the same 
> time.
> 
> I'm seeing a LOT of the ssh crc attacks in the logs of the machines that
> actually log to my central machine. Does someone have a snort rule to
> detect this?

Before trying to find out, who seems to break in, ask the
users there whether they use the ssh2-protocol!

The SSH2-Protocol seems to generate one false positive
per connection startup in the rule containing (the zero-fill)
	'EXPLOIT ssh CRC32 overflow filler'

So we had to ignore those... (which was no problem, because
our old vulnerable ssh1's are gone).

Stucki

-- 
Christoph von Stuckrad       * *  | nickname  | <stucki at ...3882...> \
Freie Universitaet Berlin    |/_* | 'stucki'  | Tel(days):+49 30 838-75 459 |
Fachbereich Mathematik, EDV  |\ * | if online | Tel(else):+49 30 77 39 6600 |
Arnimallee 2-6/14195 Berlin  * *  | on IRCnet | Fax(alle):+49 30 838-75454 /




More information about the Snort-users mailing list