[Snort-users] ygwin SSH triggers false CRC32 EXPLOIT FILLER alarm

podsednm at ...4150... podsednm at ...4150...
Mon Nov 26 06:22:14 EST 2001


Hello,
Sorry if this has been around before, but I just noticed that
connection from cygwin's build of SSH triggers false CRC32
EXPLOIT alarm:

[**] EXPLOIT ssh CRC32 overflow filler [**]
11/26-14:29:43.033100 158.194.80.111:3725 -> 158.194.80.95:22
TCP TTL:128 TOS:0x0 ID:33924 IpLen:20 DgmLen:672 DF
***AP*** Seq: 0x26B45101  Ack: 0xB0489F84  Win: 0xFAD9  TcpLen: 20
00 00 02 74 0B 14 BB 44 84 22 F8 03 71 DD 4A F7  ...t...D."..q.J.
E7 80 F2 3E 42 51 00 00 00 3D 64 69 66 66 69 65  ...>BQ...=diffie
2D 68 65 6C 6C 6D 61 6E 2D 67 72 6F 75 70 2D 65  -hellman-group-e
78 63 68 61 6E 67 65 2D 73 68 61 31 2C 64 69 66  xchange-sha1,dif
66 69 65 2D 68 65 6C 6C 6D 61 6E 2D 67 72 6F 75  fie-hellman-grou
70 31 2D 73 68 61 31 00 00 00 0F 73 73 68 2D 72  p1-sha1....ssh-r
73 61 2C 73 73 68 2D 64 73 73 00 00 00 96 61 65  sa,ssh-dss....ae
73 31 32 38 2D 63 62 63 2C 33 64 65 73 2D 63 62  s128-cbc,3des-cb
63 2C 62 6C 6F 77 66 69 73 68 2D 63 62 63 2C 63  c,blowfish-cbc,c
61 73 74 31 32 38 2D 63 62 63 2C 61 72 63 66 6F  ast128-cbc,arcfo
75 72 2C 61 65 73 31 39 32 2D 63 62 63 2C 61 65  ur,aes192-cbc,ae
73 32 35 36 2D 63 62 63 2C 72 69 6A 6E 64 61 65  s256-cbc,rijndae
6C 31 32 38 2D 63 62 63 2C 72 69 6A 6E 64 61 65  l128-cbc,rijndae
6C 31 39 32 2D 63 62 63 2C 72 69 6A 6E 64 61 65  l192-cbc,rijndae
6C 32 35 36 2D 63 62 63 2C 72 69 6A 6E 64 61 65  l256-cbc,rijndae
6C 2D 63 62 63 40 6C 79 73 61 74 6F 72 2E 6C 69  l-cbc at ...4151...
75 2E 73 65 00 00 00 96 61 65 73 31 32 38 2D 63  u.se....aes128-c
62 63 2C 33 64 65 73 2D 63 62 63 2C 62 6C 6F 77  bc,3des-cbc,blow
66 69 73 68 2D 63 62 63 2C 63 61 73 74 31 32 38  fish-cbc,cast128
2D 63 62 63 2C 61 72 63 66 6F 75 72 2C 61 65 73  -cbc,arcfour,aes
31 39 32 2D 63 62 63 2C 61 65 73 32 35 36 2D 63  192-cbc,aes256-c
62 63 2C 72 69 6A 6E 64 61 65 6C 31 32 38 2D 63  bc,rijndael128-c
62 63 2C 72 69 6A 6E 64 61 65 6C 31 39 32 2D 63  bc,rijndael192-c
62 63 2C 72 69 6A 6E 64 61 65 6C 32 35 36 2D 63  bc,rijndael256-c
62 63 2C 72 69 6A 6E 64 61 65 6C 2D 63 62 63 40  bc,rijndael-cbc@
6C 79 73 61 74 6F 72 2E 6C 69 75 2E 73 65 00 00  lysator.liu.se..
00 55 68 6D 61 63 2D 6D 64 35 2C 68 6D 61 63 2D  .Uhmac-md5,hmac-
73 68 61 31 2C 68 6D 61 63 2D 72 69 70 65 6D 64  sha1,hmac-ripemd
31 36 30 2C 68 6D 61 63 2D 72 69 70 65 6D 64 31  160,hmac-ripemd1
36 30 40 6F 70 65 6E 73 73 68 2E 63 6F 6D 2C 68  60 at ...4152...,h
6D 61 63 2D 73 68 61 31 2D 39 36 2C 68 6D 61 63  mac-sha1-96,hmac
2D 6D 64 35 2D 39 36 00 00 00 55 68 6D 61 63 2D  -md5-96...Uhmac-
6D 64 35 2C 68 6D 61 63 2D 73 68 61 31 2C 68 6D  md5,hmac-sha1,hm
61 63 2D 72 69 70 65 6D 64 31 36 30 2C 68 6D 61  ac-ripemd160,hma
63 2D 72 69 70 65 6D 64 31 36 30 40 6F 70 65 6E  c-ripemd160 at ...4153...
73 73 68 2E 63 6F 6D 2C 68 6D 61 63 2D 73 68 61  ssh.com,hmac-sha
31 2D 39 36 2C 68 6D 61 63 2D 6D 64 35 2D 39 36  1-96,hmac-md5-96
00 00 00 04 6E 6F 6E 65 00 00 00 04 6E 6F 6E 65  ....none....none
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00 00 00 00 00 00 00 00                          ........

$ ssh -V
OpenSSH_2.9.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090602F

I guess the SSH CRC32 EXPLOIT rule should be changed to be more
specific.

Regards,
Michal Podsednik
podsednm at ...4150...





More information about the Snort-users mailing list