[Snort-users] Re: Snort-users digest, Vol 1 #1339 - 10 msgs

Russell Fulton r.fulton at ...3809...
Mon Nov 26 11:53:09 EST 2001


> From:podsednm at ...4150...
> To:snort-users at lists.sourceforge.net
> Date: 26 Nov 2001 15:18:16 +0100
> Subject: [Snort-users] ygwin SSH triggers false CRC32 EXPLOIT FILLER alarm
> 
> Hello,
> Sorry if this has been around before, but I just noticed that
> connection from cygwin's build of SSH triggers false CRC32
> EXPLOIT alarm:
> 
> [**] EXPLOIT ssh CRC32 overflow filler [**]
> 11/26-14:29:43.033100 158.194.80.111:3725 -> 158.194.80.95:22
> TCP TTL:128 TOS:0x0 ID:33924 IpLen:20 DgmLen:672 DF
> ***AP*** Seq: 0x26B45101  Ack: 0xB0489F84  Win: 0xFAD9  TcpLen: 20
> 00 00 02 74 0B 14 BB 44 84 22 F8 03 71 DD 4A F7  ...t...D."..q.J.
> E7 80 F2 3E 42 51 00 00 00 3D 64 69 66 66 69 65  ...>BQ...=diffie
> 

I have heard that any ssh2 connection will trigger this rule.  I have 
disabled it, the other two are adequate to catch real attacks.

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand





More information about the Snort-users mailing list