[Snort-users] EXPLOIT ssh CRC32 false alerts

Jean Michel BARBET Jean-Michel.Barbet at ...3724...
Mon Jun 17 06:20:03 EDT 2002


Hello,

It looks like I am getting false SSH alerts since I upgraded my SSH 
servers from SSHV1 to SSHV2 (OpenSSH) :

[**] [1:1325:1] EXPLOIT ssh CRC32 overflow filler [**]
[Classification: Executable code was detected] [Priority: 1]
06/17-14:22:08.003877 XXX.XXX.XXX.XXX:1090 -> YYY.YYY.YYY.YYY:22
TCP TTL:54 TOS:0x0 ID:61699 IpLen:20 DgmLen:672 DF
***AP*** Seq: 0xE0667173  Ack: 0x43E2EA00  Win: 0x1920  TcpLen: 20
[Xref => http://www.securityfocus.com/bid/2347]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-0144]

Has anybody noticed the same ? Any explanation (is it normal that the
filler "|00 00 00 00 00 00 00 00 00 00 00 00 00|" appears in normal o
peration of the V2 protocol ? )

How can I modify the rules (or may be this is fixed in more recent
rules. 
I am using the rules that came with Snort version 1.8.2, Build 86).

Thank you.

Jean-Michel.
-- 
------------------------------------------------------------------------
Jean-michel BARBET                    | Tel: +33 (0)2 51 85 84 86 
Laboratoire SUBATECH Nantes France    | Fax: +33 (0)2 51 85 84 79
CNRS-IN2P3/Ecole des Mines/Universite | E-Mail: barbet at ...3724...
------------------------------------------------------------------------




More information about the Snort-users mailing list