[Snort-users] Rule SID 1325

Brian bmc at ...950...
Thu Nov 6 12:07:28 EST 2003


On Thu, Nov 06, 2003 at 10:22:02AM -0800, Matt Linton wrote:
> I've seen a few random messages to this effect in the past, but it's worth
> noting: The rule #1325 seems to repeatedly false positive on SSH v2
> connections as a part of the normal handshake. Is this rule obsolete, or
> perhaps SSH with the minimum of options set simply has a lot of "00"
> options at the end, matching the rule?

This rule is turned off in the default ruleset.  The docs should get
updated to have the false positive of any modern ssh 2 client traffic 
(though I thought they did)

-brian




More information about the Snort-users mailing list